How To Test For Security On A Network Without Being Hacked

Transcription

1 A Simple Guide to Successful Penetration Testing

2 Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few Key Takeaways! 2

3 Penetration Testing, Simplified. Permission to pen test ma am How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker simply won t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just a hacking exercise. It s an essential part of your complete risk assessment strategy. 3

4 Scanning is not Testing. If you re confused about the difference between penetration testing and vulnerability scanning, don t worry you re not alone. The two are related, but pen testing emphasizes gaining as much access as possible, while scanning focuses on identifying areas that are vulnerable to an attack. A person conducting a vulnerability scan will stop just before compromising a target, but a pen tester will go as far as he or she can. 4

5 Test Well. Penetration tests are typically performed using manual or automated technologies to systematically compromise varying vectors, such as servers, endpoints, web apps, wireless networks, network devices, mobile devices, and other potential points of exposure. Historically, pen testing has implied simply breaking through a network firewall, but it has evolved beyond just getting inside. Modern pen testing solutions allow you to see what damage an attacker can actually do once inside your network. The possibilities are seemingly endless; pivoting from web apps to databases to end-user devices, intercepting Wi-Fi traffic, etc. So, testing all these vectors is required for any successful pen testing program. Pivoting across systems, devices, and applications (vectors) establishes a new source of attack on the compromised target, revealing how chains of exploitable vulnerabilities open paths to your organization s critical systems and data. 5

6 Test Often. It s a good idea to test at regular intervals; after all you wouldn t skip your own checkup, right? Penetration testing should be performed on a regular basis to create a more consistent and lower-risk security program. In addition to regularly scheduled analysis and assessments required by regulatory mandates, test when: New network infrastructure or applications are added Significant upgrades or modifications are applied to infrastructure or applications New office locations are established Security patches are applied End user policies are modified 6

7 Pen Test to Avoid a Mess. Intelligently manage vulnerabilities Through penetration testing, you can proactively identify the most exploitable vulnerabilities and eliminate false positives. This allows your organization to prioritize remediation efforts, apply needed security patches, and efficiently allocate security resources. Avoid the cost of network downtime Recovering from a security breach can cost your organization big time customer protection and retention, legal activities, discouraged business partners, lowered employee productivity, and reduced revenue just to name a few pitfalls. Pen testing helps you avoid these financial drawbacks by identifying and addressing risks before attacks or security breaches occur. Meet regulatory requirements and avoid fines Penetration testing helps organizations address regulatory requirements such as PCI- DSS. This can be a formidable task requiring a combination of resources, time, and a little bit of planning. Detailed reports showing test results and validating remediation efforts can help you avoid significant fines for non-compliance and allow you to illustrate ongoing due diligence to assessors. Preserve corporate image and customer loyalty Even a single incident of compromised customer data can be costly in terms of lost revenue and a tarnished brand image. With customer retention costs higher than ever, no one wants to lose the loyal users that they ve worked hard to earn, and data breaches are likely to impact new business efforts. Penetration testing helps you dodge these avoidable incidents that put your organization s reputation and trustworthiness at stake. 7

8 A pen test can be broadly carried out by following a sixphase methodology: Planning and Preparation, Discovery, Penetration PENETRATION TESTING METHODOLOGY Attempt, Analysis and Reporting, Clean Up, and finally Remediation. Pen testing is not a guessing game. " Like everything in information security, there s a process. 8

9 Planning and Preparation Clear goals equal clear results Meet with your team to discuss the scope, objective, and who will be involved in the testing. Before diving in, you must decide on a clear objective and of course get authorization from IT operations. Scoping After setting a distinct goal, such as exploiting recently discovered vulnerabilities in your shiny new HR application, the next action is scoping. Identify the machines, systems and network, operational requirements and the staff involved. The way in which the pen test results will be illustrated should also be decided. Discussing timing and coordinating with IT operations is vital, as it will ensure that while the penetration tests are being conducted, business as usual remains business as usual. Discovery Obtain open, accessible data from your targets. It s time to get vulnerable! During this phase, the team performs reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target. There are many ways to gather this data and it depends on the target (Network, Web, or Client). Network Discovery: Attempt to discover additional systems, servers, and devices Host Discovery: Determine open ports on these devices Service Interrogation: Interrogate ports to find actual services running on them A penetration tester will most likely use automated tools to scan target assets for known vulnerabilities. These tools will most likely have their own databases detailing the latest vulnerabilities. Completion of this vulnerability assessment will produce a list of targets to investigate in depth. Sometimes the results from these scans can be overwhelming, with thousands or even tens of thousands of assets and vulnerabilities. So, it s important to ensure you have effective prioritization methods in place that can provide contextual information behind these vulnerabilities to equip you with the information you need to make a decision on what to test first. 9

10 Penetration Attempt Exploit-a-thon. Knowing a vulnerability exists on a target doesn t necessarily mean it can be exploited easily. So, it s not always possible to successfully penetrate even if it is theoretically possible. Exploits that do exist should be tested on the target before conducting any other tests. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits on other internal resources. Very often this is achieved through higher levels of security clearance and information via privilege escalation. The penetration attempts don t end here. Organized social engineering campaigns with phishing s can also be effective at gauging employee awareness, the impact of their behavior, and adherence to existing security controls. Analysis and Reporting So, tell us all what you found. The report should start with an overview of the penetration testing process, followed by an analysis of high-risk vulnerabilities. These critical vulnerabilities are addressed first with lower-risk vulnerabilities following in suit. To strengthen the decision making process, vulnerability prioritization is a must. Organizations may accept the risk incurred from less critical vulnerabilities and focus on fixing the most critical that could negatively impact business processes. The other contents of the report should be as follows: Summary of successful penetration scenarios Detailed listing of information gathered during penetration testing Detailed listing of vulnerabilities found Description of all vulnerabilities found Suggestions and techniques to resolve vulnerabilities found 10

11 Clean Up Go Clean Your Room! Unfortunately, messes can happen as a result of pen testing. A detailed and exact list of actions performed during the penetration test should be recorded. Compromised hosts should be restored to their original state, so they don t negatively impact the organization s operations. This activity should be verified by the staff to ensure it has been done successfully. Poor practices and improperly documented actions during a penetration test will result in a long, painful clean up process. Remediation Patch it up. Patching is vital. The final phase of the six-phase penetration testing methodology is all about remediation. Once the testing exercises have been completed on the target systems, all available patches should be deployed according to the criticality of the vulnerability. The vulnerability reports resulting from the previous phase will show exactly which exploits were executed, the host they were found on, and the name of the vulnerability (CVE) if there is one. After patches have been deployed, it is a best practice to validate remediated vulnerabilities to ensure they were properly mitigated. All available patches should be deployed according to the criticality of the vulnerability. 11

12 Key Takeaways 1. Go beyond network testing, please. 2. Vulnerability scanning is not penetration testing. 3. Conduct penetration testing as often as necessary. 4. Follow the steps: Penetration testing is an art form, but it s vital to follow a methodology to ensure success. 5. When the penetration test is complete, make sure to clean up after yourself. 6. Remember to validate remediated vulnerabilities to ensure they were properly mitigated. 12

13 The value you can gain from conducting a penetration test is often dependent on your organization s choice in a partner. Core Impact Pro is the most comprehensive multi-vector solution for assessing and testing security vulnerabilities throughout your organization. Leveraging commercial-grade exploits, users can take security testing to the next level when assessing and validating security vulnerabilities. We can help you Think Like An Attacker and protect your most critical business assets. GET MORE INFO Share this ebook! 13