MAXIMIZING THE VALUE OF YOUR NETWORK PENETRATION TESTS. Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM

Transcription

1 MAXIMIZING THE VALUE OF YOUR NETWORK PENETRATION TESTS Jay Ferron CEHi, CISSP, CHFIi, C)PTEi, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.net Phone

2 ADDENDA This session will help you understand how to increase the value of an external penetration test by more thoroughly vetting your pen-test vendor and setting business-centric goals for the assessment. Learn what questions to ask when choosing a pen-test vendor and see firsthand what a good and bad pen-test looks like. We will also discuss: Vulnerability scan vs. Pen test Define the scope and deliverable Penetration Testing Execution Standard (PTES) And Cheapest isn t the best!

3 WHAT IS PENETRATION TESTING OR "ETHICAL HACKING"? A penetration test or "ethical hack" evaluates an application's or network's ability to withstand attack. During a penetration test, you authorize an expert (or "ethical hacker") armed with the same techniques as today's cybercriminals to hack into your network or application. Such an exercise will open your eyes to vulnerabilities you didn't know existed and the effects of exploitation.

4 HOW DOES PEN TESTING DIFFER FROM VULNERABILITY SCANNING? Vulnerability scanning evaluates a system for potential vulnerabilities or weak configurations, is largely automated and can only ever find a subset of security issues. Penetration testing, on the other hand, is a manual process performed by a human. A penetration tester will use tools as a part of their work, but they apply their human ingenuity to exploit vulnerabilities and illustrate what an attacker might be capable of when targeting a particular system.

5 KINDS OF PEN TEST White Team Red Team Black Hat

6 TYPES OF TESTS Social Engineering Physical Technical Procedural

7 PENETRATION TESTING Internal Network Basic Opportunistic Targeted Advanced includes password analysis External Network Basic Opportunistic Targeted includes limited phishing exercise Advanced includes social engineering exercise

8 TYPES OF TESTS Simulates the most common attacks executed in the wild today. This class of attacker typically uses freely-available, automated attack tools.

9 OPPORTUNISTIC THREAT Builds upon the basic threat and simulates an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets ( low-hanging fruit ) and will use a mix of automated tools and manual exploitation to penetrate their targets.

10 TARGETED THREAT Simulates a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant resources and effort trying to compromise an organization's systems.

11 ADVANCED THREAT Simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

12 HAVE YOU DETERMINED YOUR BUSINESS RISK PROFILE? How do you do this? Do you have a idea of your current footprint look like? What services are you offering to the outside world Web Site Payment Sites VPN??? Do you have a Network Map? Is accurate? Has it changed

13 WHAT ARE YOU TRYING TO PROTECT? DATA Your JOB Company Reputation Not to be on Privacyrights.org Not to be on the front page of the NY time or CNN News

14 ALTHOUGH UTILITIES CANNOT PREDICT A CYBERATTACK, THERE IS NO QUESTION THAT THEY SHOULD AT LEAST BE READY. Security rating company BitSight Technologies has released a report in which utilities rank the worst -- warning of the threat of botnets and examining the link between botnets and publicly disclosed data breaches in various industries. The study focused on publiclydisclosed breaches because these have the greatest impact to organizations in terms of personally identifiable information (PII) loss, subsequent customer notification, forensic investigation, and damage to reputation. In particular, the report revealed that companies with a botnet grade of 'B' or lower are more than twice as likely to experience a publicly disclosed data breach.

15 HOW MUCH CAN A DATA BREACH COST YOUR ORGANIZATION? Average Organizational Cost of a Data Breach $5.4 million $5.9 million Estimated Cost of a General Data Breach $191 per compromised record $ 201 per compromised record Data loss resulting from a malicious or criminal attack yielded the highest cost at an average of $201 per compromised record, followed by system glitches and employee mistakes resulting in a average per record cost of $171 and $160, respectively. * According to data gathered from breached organizations.

16 DEFINE THE SCOPE AND DELIVERABLE The Who The What The When They Why The How The Stops The Findings When to repeat

17 PENETRATION TESTING EXECUTION STANDARD (PTES) The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

18 PROCESS STEPS Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting

19 GUIDES AND TOOLS

20 TOOLS DEMOS LANguard Nessus Kali Linux Social Engineering Tool Kit

21 BUILD SECURITY INTO IT PROJECTS 77% % of IT pros have been pressured to unveil IT projects that were not security ready.

22 REDUCE THE RISK Vulnerabilities in databases, networks and applications Introduce security weaknesses that can increase your data breach risk. 81% of Businesses failed to detect data breaches themselves in 2014.

23 SECURE YOUR INTERNET OF THINGS Many internet of things devices that lacked often times basic security controls. Consumer and business products shouldn t hit the shelves before they're tested for security vulnerabilities.

24 PROTECT YOUR WEB APPS 98% of web applications tested were vulnerable with a median number of 20 vulnerabilities per application

25 MOBILE APPS 92% of mobile applications tested by 3 rd party companies were vulnerable.

26 Same risks different locations THE CLOUD

27 QUESTIONS Jay Ferron blog.mir.net Phone