Penetration testing & Ethical Hacking. Security Week 2014

Transcription

1 Penetration testing & Ethical Hacking Security Week 2014

2 Agenda Penetration Testing Vulnerability Scanning Social engineering Security Services offered by Endava 2

3 3 Who I am Catanoi Maxim Information Security Consultant at Endava Certifications: EC-Council, Certified Ethical Hacker EC-Council, Certified Security Analyst EC-Council, Licensed Penetration Tester SANS/GIAC Penetration Tester PCI-DSS, PCI Professional (Payment Card Industry) Over 10 years of experience in IT Security

4 4 What is a Penetration Testing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source

5 5 Why Penetration Testing? Find Holes Now Before Somebody Else Does To make a point to decision makers about the need for action or resources Real-world proof of need for action Report Problems to Management Evaluate efficiency of security protection Security Training For Network Staff Discover Gaps In Compliance Testing New Technology Adopt best practice by confirming to legal regulations

6 6 Penetration Testing types Network services test Client-side security test Application security test Passwords attack Wireless & Remote Access security test Social engineering test Physical security test

7 7 Penetration Testing area Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness Strong passwords, ACLs, backup and restore strategy Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Network segments, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Guards, locks, tracking devices Security policies, procedures, and education

8 8 Penetration Testing profile Black Box White Box External Internal Grey Box Destructive None-destructive Announced Unannounced

9 9 Penetration Testing methodology Proprietary methodologies: IBM ISS Found Stone EC-Council LPT Open source and public methodologies: OSSTIMM CISSP CISA CHECK OWASP

10 10 Penetration Testing flow Scope/Goal Definition Information Gathering Vulnerability Detection/Scanning Information Analysis and Planning Attack& Penetration/Privilege Escalation Result Analysis & Reporting. Clean-up REPEAT

11 11 LPT Penetration Testing roadmap

12 12 LPT Penetration Testing roadmap (cont)

13 13 Who should perform a Penetration Test? This is a highly manual process Art of finding an open door An qualified expert from outside holding recognized certifications like CEH, ECSA, CISSP, CISA, CHECK Networking TCP/IP contepts, cabling techniques Routers, firewalls, IDS Ethical Hacking techniques exploits, hacking tools, etc Databases Oracle, MSSQL, mysql Operation Systems Windows, Linux, Mainframe, Mac Wireless protocols Wifi, Bluetooth Web servers, mail servers, access devices Programming languages other

14 14 What makes a good Penetration Test Establishing the parameter for penetration test such as objectives and limitation Hiring skilled and experienced professional to perform the test Choosing suitable set of tests that balance cost and benefits Following a methodology with proper planning and documentation Documenting the result carefully and making it comprehensible for the client Stating the potential risk and findings clearly in the final report

15 15 Vulnerability Scanning standalone service An established process for identifying vulnerabilities on internal and external systems Reduce the likelihood of a vulnerability being exploited and potential compromise of a system component Internal vulnerability scans should be performed at least quarterly

16 16 How often? On regular basis, at least annually Internal penetration test External penetration test Vulnerability scanning at least quarterly New network infrastructure or applications are added Significant upgrades or modifications are applied to infrastructure or applications New office locations are established Security patches are applied End user policies are modified

17 17 Social Engineering The art of manipulating people so they give up confidential information.

18 18 Spoofing Bank Domain SPF record comertbank.md v=spf1 mx -all socbank.md v=spf1 ip4: a mx victoriabank.md v=spf1 ip4: /28 maib.md v=spf1 mx -all moldindconbank.com? bem.md v=spf1 mx ~all ecb.md? unibank.md v=spf1 a mx ip4: /32 ~all fincombank.com? energbank.com v=spf1 mx ip4: ~all procreditbank.md v=spf1 mx mx:mail.procredit.md -all bcr.md v=spf1 mx ip4: /24 -all eximbank.com v=spf1 ip4: ~all mobiasbanca.md v=spf1 ip4: a mx -all

19 19 SMS Spoofing SMS spoofing is a relatively new technology which uses the short message service (SMS), available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, product)

20 20 Call Spoofing Caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station

21 21 Security Services Offered by Endava Regular External and Internal Vulnerability Scans Regular Penetration Tests PCI-DSS Assessment Implementing ISO and/or ISO 9001 Standards Security Trainings Security Consultation Security Audits Custom Security Solution Intrusion Monitoring Solution 24/7 Incident responding team

22 22 Questions

23 23 The end Maxim Catanoi IT Security Consultant Tel Skype en_mcatanoi thank you