PENETRATION TESTING GUIDE. 1

Transcription

1 PENETRATION TESTING GUIDE 1

2 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a penetration test differ from an automated vulnerability scan?... 3 What are the goals of a... 3 Why should we have a penetration test performed?... 3 What should we expect from the penetration testing process?... 4 Is testing disruptive to our environment? Will our systems go down?... 4 How often should we do a... 4 How is the scope defined for a... 4 What qualifications should the penetration testing team possess?... 5 What documentation should I expect to receive when the testing is complete?... 5 How do we prepare for a... 5 We have our website hosted with a third party. Should we test it?... 5 Should we fix all of the vulnerabilities that are reported?... 5 What are typical costs for a... 6 How much time is needed to perform a typical... 6 Can we do our own penetration testing?... 6 My customer wants to see the results of our penetration test. Should I share the results with outside parties?... 7 What are the different kinds of penetration tests?

3 What is a A penetration test is a study of the effect of vulnerability against a target or targets. The targets can consist of systems, networks, applications or people or any combination of these. During a penetration test, we assume the identity of an attacker and attempt to gain unauthorized access, and through a series of attacks, expand our influence over our target of evaluation. A penetration test measures the effectiveness of security controls while being flexible enough to adapt as obstacles present themselves. What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about? The terms Ethical Hacking and Penetration Testing are synonymous. Each refer to a sanctioned assessment of security controls through an active attempt to subvert said controls. Ethical Hackers are skilled in the same disciplines that actual cyber hackers (criminals) are skilled in. By leveraging this unique skill set it is possible to get a hackers eye view of your environment. How does a penetration test differ from an automated vulnerability scan? The main difference between vulnerability scans and penetration tests is that penetration tests are adaptive, contextual and multidimensional in approach where vulnerability scans are far less aware and non-adaptive. But where vulnerability scans lack in the way of context, they make up for in the form of comprehensiveness. If vulnerability scan data were available to a penetration test, this information could surely provide valuable intelligence that then could be used in more sophisticated attacks that would not be possible if a vulnerability scan were used alone. Both solutions are necessary for a truly mature approach. What are the goals of a The goals of a penetration test are not set in stone, but are instead determined on a case-by-case basis. The penetration tester will meet with the client before the onset of an engagement to gage the client s goals. At the most rudimentary level the goal is to gain access to some network, system or application, in a manner that is covert and ultimately proves a genuine risk to a loss of confidentiality or integrity of sensitive data. If no specific goals are set we will typically attempt to get in and escalate our influence to that of a Domain Admin (assuming the environment is a Microsoft Active Directory environment). Why should we have a penetration test performed? The information security threat landscape is ever evolving, and simple passive methods of protection can not possibly keep up with new and existing threats. A vulnerability scan is very good at finding known flaws, and anti-virus / anti-malware detection is likewise good at finding known threats, but modern day threat actors are very good at exploiting what is not known. Despite an organization's best efforts to implement security controls, those controls are only as good as the sum of all of their parts, and it's just as easy to mis-configurable any one of these parts as it is to properly configure it. The penetration test, in a sense, is looking for that proverbial needle in the haystack. We seek to find the 1 or 2 issues within the larger interconnected web of controls, and see where each successful execution will lead. A successful security program is a combination of controls. 3

4 Those mis-configurations are out there, and what the professional penetration test will tell you is how well the entire security program, with all of its controls, is situated to detect and detain these threats when they appear. What should we expect from the penetration testing process? A penetration test is an uncontrolled process in that the penetration testers typically do not plan to interact very much with the target in a controlled way. Most tasks are subversive and covert in nature, and therefore must remain as uncontrolled as possible. If the penetration test target is an internal network, then a staged system (a dropbox) is typically deployed. This too can be done in a covert manner as part of a physical penetration test, or could be placed on the network ahead of the initiation of the test by the customer. Testing will commence, and once all testing activities are completed, reports will be generated and delivered to the customer. There will typically be a debriefing and a chance for customer comments. Any changes to the draft reports will be made and delivered. Sometimes penetration testers will be asked to validate corrective action measures and sometimes a customer might commission a full retest after a full mitigation plan has been executed. Is testing disruptive to our environment? Will our systems go down? Because penetration testing is largely a manual process, the penetration tester has full control of what is done within the target of evaluation. It is generally not very useful to a penetration tester to introduce a denial of service condition since one of the primary goals of a penetration test is to be covert. The penetration test alone is extremely unlikely to cause any service disruptions unless that is something the client decides to include as part of the testing parameters (which is extremely rare). How often should we do a Network and Application penetration tests are often performed minimally once every year. Certain information security standards call for it to be done more often when major changes occur within the network, when application upgrades occur or when infrastructure or architecture changes significantly (see PCI requirement 11.3). Additionally, many of our customers require any newly acquired software be tested before being put into production. This includes cloud based SaaS and PaaS model applications. This is a very important point since much of our sensitive data is moving into the the cloud. This move might remove some responsibility, but it does not automatically remove the threats to the asset, and might even introduce new threats. How is the scope defined for a Scope is mutually agreed upon between the client and the penetration tester and can vary significantly in size anywhere between 1 system to 1 network or a number of networks. The scope will be contingent on the goals the client is set for the penetration test. 4

5 What qualifications should the penetration testing team possess? Penetration testing teams should contain multiple disciplines but most commonly a strong networking and program focus is necessary to achieve the desired results. Much of what separates a good penetration test from a mediocre one is mindset. A penetration tester has a unique perspective when presented with a set of facts. Most people see what is meant to be seen while the penetration tester is capable of seeing what is there, but hidden. Since these soft-skills are hard to quantify it is necessary to interview the penetration tester to gain a feel for the breadth of his/her experience. Check their resume and their references before you buy. What documentation should I expect to receive when the testing is complete? At a minimum the penetration tester should deliver an executive summary of findings which includes an overview of what was accomplished and what if any major issues were uncovered. This should be followed by a detailed summary report that outlines each issue uncovered, an assessment of risk for each issue with some context explaining how the risk rating was chosen and with recommended corrective actions clearly outlined. A full walkthrough of the penetration exercise should be included where relevant. Oftentimes additional reports might also be delivered to support the findings in the summary reports. For instance, it is common to run vulnerability scans during a penetration test, and those scan reports might be delivered under separate cover. How do we prepare for a How Much or how little you prepare for a penetration test will again depend on the goals and scope defined for a specific test. We typically recommend that you use the penetration test to validate your incident preparedness and therefore the less you prepare the better. That said, there are certainly some tests that call for a greater amount of preparation. For instance if the target is a web application, there will be a need to provision accounts and it probably makes sense to provide a demonstration of the functionality of the application. We have our website hosted with a third party. Should we test it? Unequivocally Yes! The fact that the web site is hosted at a third party means that there are potential threats outside of your control. What if an attacker could access the web server management interface? Without question you should test your hosted applications. Should we fix all of the vulnerabilities that are reported? All vulnerabilities should be addressed. For any identified issue there will be a degree of risk associated with the finding. We attempt to apply as much relevant context to each finding, and certainly high-risk issues should be addressed in an expedient manner. Sometimes there are a large number of findings, particularly when automated vulnerability scans are run as part of the penetration test. Once you receive all of your reports, a 5

6 mitigation plan should be put in place, and each of the reported vulnerabilities should be addressed as part of the plan. For any vulnerability there are only 5 possible ways to address the issue: (1) Apply a vendor patch, (2) reconfigure a piece of software, (3) turn the affected service or server off, (4) apply a mitigating control (such as a firewall) to reduce risk or (5) simply choose to accept the risk (which in some cases might be a perfectly reasonable option). What are typical costs for a The cost for penetration testing varies greatly. A number of factors are used to determine pricing including, but not limited to the scope of the project, the size of the environment, the quantity of systems, and the frequency of testing. It is critical to have a detailed scoping meeting to produce a very clear understanding of the needs, and develop a statement of work prior to engaging any penetration test. Ideally a penetration test should be performed on a xed-fee basis to eliminate any unexpected costs or unplanned expenditures. The quoted fee should include all labor and required testing tools. Statements of work that only provide estimates of the work effort should not be entertained. How much time is needed to perform a typical penetration test? Adequate time should be reserved in advance of testing for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time. Generally speaking, two to four weeks is a good estimate for the duration of the entire engagement from planning through delivery. Can we do our own penetration testing? Typically, no, but it s not inconceivable. Many large organizations like major banks and the government agencies do their own internal penetration testing (often called Red Team testing or Red Team / Blue Team testing), but these organizations typically have information security budgets in excess of $1,000,000, and even these organizations will often augment their staff with 3rd party tests to gain a fresh perspective from time to time. The decision to insource or outsource the penetration test function typically comes down to if you have qualified individuals on staff to perform the test. Most professional penetration testers have a burden on them to remain current with modern attack techniques and this typically will require penetration testing to be a full time job, so to successfully conduct insourced penetration tests it is usually best to have dedicated staff whose only job is offensive security. 6

7 My customer wants to see the results of our penetration test. Should I share the results with outside parties? The penetration test can be a very powerful marketing tool. It shows your sense of due diligence, and can often help ease concerns your customers might have about cyber security. In this day and age there is a heightened awareness of cyber threats in the public. Hardly a day goes by that you don t read about some high-profile news story that involved some sort of cyber crime. It ultimately is a business decision as to whether you disclose the results of a penetration test, but if you do decide to provide a copy of the penetration test findings, the penetration testing firm should provide an executive summary that s high-level enough to be presented to interested 3rd parties without disclosing any sensitive information. What are the different kinds of penetration tests? There are several different flavors of penetration tests and each address different threats. External Network Penetration Test External network penetration tests are focused on the exposed network perimeter. This is typically the best defended as it is exposed to everyone on the Internet. A weakness here could expose the internal network to attack. Perimeter networks must be fully protected at all times as they are under constant pressure from adversaries. The goal of the external network penetration test is typically to gain a foothold inside the DMZ or corporate network or to find some method of exfiltrating data via the exposed services available from the Internet. Internal Network Penetration Test The Internal penetration test is focused on simulating what risk a rogue system would pose to the enterprise. This simulation would typically employ a dropbox (unsanctioned computer with lots of tools on it) but would also be able to simulate the potential exposure to a sophisticated piece of malware or an advanced persistent threat. The goal of the internal penetration test is to find weaknesses at the network or host level that will allow the penetration tester to establish a command and control and to ultimately gain full administrative rights over the networks and systems on the network. Application Penetration Test Application penetration tests look at the controls of an application (typically a web application) that houses sensitive information. When testing an application the penetration tester will want to assess the way the authentication and authorization is handled. The penetration tester will also be focused on how the application maintains session management and tenant segregation. Logic flaws will be identified and tested along with common web based attack vectors such as injection flaws and buffer overruns. Finally, a review of the web server itself will typically be included with specific emphasis on attacks against any content management software that might be exposed. Testing web applications will typically require 2 or more sets of credentials and careful coordination with application custodians before and sometimes during the test. 7

8 Physical Penetration Test During a physical penetration test the penetration tester will attempt to gain unauthorized access to an office space with the goal of testing physical controls such as doors, windows, security personnel and physical network connections. The ultimate goal of physical test is to install some device that can then be accessed externally and be used to initiate network and system attacks against the internal network; basically, the goal is to place the dropbox that can then be used to conduct the internal network penetration test. Social Engineering Test A Social Engineering test is an attempt to attack the weakest link in the the information security program: the user. During a social engineering test several methods could be deployed to either gain the trust of a user, or to simply trick them into doing something they should never do. The social engineering test is really a test of the corporate security awareness initiative. Some vectors of attack include: phishing s, spare phishing s, spoofing, phone calls, and USB drops. The goal of a social engineering campaign is typically to trick one or more users into relinquishing their credentials or to getting them to click and install malware. NOTE: malware is typically not installed, and instead click through rates are monitored. OUR TEAM OF ETHICAL HACKERS WILL SHOW YOU WHERE YOUR VULNERABILITIES ARE WHETHER IT S AT THE NETWORK OR APPLICATION LAYER. OUR TEAM HAS YEARS OF EXPERIENCE SUCCESSFULLY HACKING THE MOST COMPLEX SYSTEMS AND NETWORKS. 8