Penetration Testing in Romania

Transcription

1 Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum

2 Agenda About penetration testing Examples Q & A 2

3 What is penetration testing? Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders. Related terms: Penetration testing Pentesting Ethical hacking Tiger Teaming Red Teaming (RO: teste de penetrare, teste de intruziune) Penetration testing is not Vulnerability assessment Penetration testing is: authorized adversary-based ethical (for defensive purposes) 3

4 Penetration testing by example Threats Vulnerabilities Assets Risks Vulnerable? Exploitable? External attacker - hacker - industrial espionage - organized crime Internal attacker - malicious employee - collaborator - consultant - visitor Insufficient input validation Insecure session configuration Application logic flaws Insecure server configuration Internet Banking application SQL injection OS command execution Authentication bypass Cross Site Scripting Directory browsing H H H M M Password autocomplete L 4

5 Motivation. Why? When? Verify the effectiveness of protection mechanisms implemented Application security mechanisms Server configurations Network configurations Employee security awareness Physical security Test the ability of system defenders to detect and respond to attacks Obtain a reliable basis for investments in security personnel and technology Required by ISO 27001, PCI DSS, etc As part of risk assessment for risk identification and quantification As part of ongoing/periodic security assessment Before a new system is put in production In the development phase of a new system 5

6 Penetration testing objectives and targets (examples) External penetration test: Test the security of internet banking / mobile banking apps Evaluate the security of internet facing applications Perform fraudulent transactions in online shops Access personal data in online medical applications Gain physical access to company building and install rogue access point Internal penetration test: Obtain access to database server containing customer information Gain control of Active Directory Obtain administrative access to ERP application Gain access to company assets (sensitive files, project plans, intellectual property) 6

7 Penetration testing types According to attacker s location: Test type External pentest Internal pentest Simulated threats Hackers, corporate espionage, terrorists, organized crime Malicious employee, collaborator, consultant, visitor According to attacker s initial information: Black box test Gray box test White box test Hackers, organized crime, terrorists, visitors Consultants, corporate espionage, business partner, regular employees Malicious system administrators, developers, consultants According to the attacks performed: - pure technical - social engineering - denial of service 7

8 How? Information gathering Create attack trees Prepare tools Perform collaborative attacks Identify vulnerabilities Exploit vulnerabilities Extract sensitive data Gain system access Escalate privileges Pivot to other systems Write the report 8

9 Automated vs. Manual Automated testing: Configure scanner Run scanner & wait for results (Validate findings where possible) Deliver report to client Manual testing: Use tools as helpers only Validate findings by exploitation (no false positives) Dig for sensitive data, escalate privileges, gain access to other systems Model and simulate real threats: simulate attacker s way of thinking, consider attacker s resources, knowledge, culture, motivation Several manual tests for exploitation of specific vulnerabilities Strict control, logging, quick feedback Interpret the findings according to business impact 9

10 Resources Dedicated machines Dedicated network Software tools: In-house developed Open source Commercial Dedicated workspace (IT Security Laboratory) Protect client data Logging facility 10

11 Limitations Timeframe Budget Resources Personnel awareness All software vulnerabilities Known Vulnerabilities Things change Does not discover all vulnerabilities but reduces the number of vulnerabilities that could be found by high skilled attackers having similar resources and knowledge 11

12 Reporting Executive summary Overview Key findings High-level observations Risk matrix Technical report Findings Risks Recommendations Present report to client 12

13 Standards, Certifications and Knowledge Security testing standards: OSSTMM - Open Source Security Testing Methodology Manual NIST The National Institute of Standards and Technology Special Publication OWASP - The Open Web Application Security Project Certifications: Knowledge: Offensive Security OSCE, OSCP, OSWP ISECOM OPST SANS GPEN, GWAPT EC-Council LPT, CEH CHECK Team Leader, Team Member CREST Registered Tester, Certified Tester System administration Network administration Software development Quality assurance / software testing 13

14 Examples (1): Outdated CMS allows unauthorized file upload 14

15 Examples (2): Arbitrary file download 15

16 Example (3): Gaining access to development servers 16

17 Example (4): Application logic flaw 17

18 Example (5): Social engineering 18

19 Example (6): Gaining root access 19

20 Thank you! Questions? Adrian Furtunǎ, Ph.D.