CISO's Guide to. Penetration Testing. James. S. Tiller. A Framework to Plan, Manage, and Maximize Benefits. CRC Press. Taylor & Francis Group

Transcription

1 CISO's Guide to Penetration Testing A Framework to Plan, Manage, and Maximize Benefits James S. Tiller CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an Informs business AN AUERBACH BOOK

2 Contents Foreword xi Chapter 1: Getting Started 1 Audience How to Use This Book Chapter 2: Setting the Stage 9 Perspectives of Value Where Does Penetration Testing Fit? What Constitutes a Success? A Quick Look Back Hacking Impacts Resources Information Time Brand and Reputation The Hacker Types of Hackers Script Kiddies Independent Hackers Organized Hackers Sociology Motives Chapter 3: The Framework 39 Planning the Test Sound Operations Reconnaissance Enumeration Vulnerability Analysis Exploitation Final Analysis Deliverable Integration Chapter 4: The Business Perspective 51 Business Objectives Previous Test Results Building a Roadmap Business Challenges Security Drivers v

3 vi Contents Increasing Network Complexity Ensuring Corporate Value Lower Management Investment Business Consolidation Mobile Workforce Government Regulations and Standards Why Have the Test? Proof ofissue Limited Staffing and Capability Third-Party Perspective It Is All about Perspective Overall Expectations How Deep Is Deep Enough? One-Hole Wonder Today's Hole Chapter 5: Planning for a Controlled Attack.. 77 Inherent Limitations Time Money Determination Legal Restrictions Ethics Imposed Limitations Timing Is Everything Attack Type Source Point Required Knowledge Timing ofinformation Inter-net Web Authenticated Application Service Direct Access Multiphased Attacks Parallel Shared Parallel Isolated Series Shared Series Isolated Value ofmultiphase Testing Employing Multiphased Tests Teaming and Attack Structure Red Team Vulnerability Explanation Testing Focus Mitigation White Team

4 Contents Piggyback Attacks Reverse Impact Detection Blue Team Incident Response Vulnerability Impact Counterattack Team Communications Engagement Planner The Right Security Consultant Technologists Architects Ethics The Tester Logistics Agreements Downtime Issues System and Data Integrity Get Out of Jail Free Card Intermediates Partners Customers Service Providers Law Enforcement Chapter 6: Preparing Technical Preparation Attacking System Operating System Tools for a Hack Data Management and Protection Attacking Network Attacking Network Architecture Managing the Engagement Project Initiation Identify Sponsors Building the Teams Schedule and Milestones Tracking Escalation Customer Approval During the Project Status Reports Scope Management Deliverable Review Concluding the Engagement

5 Vlll Chapter 7: Reconnaissance Social Engineering Value Controlling Depth Help Desk Fraud Value Controlling Depth Prowling and Surfing Internal Relations and Collaboration Corporate IdentityAssumption Physical Security Observation Dumpster Diving Theft Internet Reconnaissance General Information Web Sites Social Networking Chapter 8: Enumeration Enumeration Techniques Connection Scanning SYN Scanning FIN Scanning Fragment Scanning TCP Reverse WENT Scanning FTP Bounce Scanning UDP Scanning ACK Scanning Soft Objective LookingAround or Attack? Elements ofenumeration Account Data Architecture Operating Systems Wireless Networks Applications Custom Applications Preparing for the Next Phase Chapter 9: Vulnerability Analysis Weighing the Vulnerability Source Points Obtained Data The Internet Vendors

6 Contents Alerts Service Packs Reporting Dilemma Chapter 10: Exploitation Intuitive Testing Evasion Threads and Groups Threads Groups Operating System,s Windows UNIX Password Crackers Rootkits Applications Web Applications Distributed Applications Customer Applications Wardialing Network Perimeter Network Nodes Services and Areas of Concern Services Services Started by Default Windows Ports Null Connection Remote Procedure Call (RPC) Simple Network Management Protocol (SNMP) Berkeley Internet Name Domain (BIND) Common Gateway Interface (CGI) Cleartext Services Network File System (NFS) Domain Name Service (DNS) File and Directory Permissions FTP and Telnet Internet Control Message Protocol (ICMP) IMAP and POP Network Architecture Chapter 11: The Deliverable Final Analysis Potential Analysis The Document Executive Summary Present Findings

7 X Contents Planning and Operations Vulnerability Ranking Process Mapping Recommendations Exceptions and Limitations Final Analysis Conclusion Overall Structure Aligning Findings Technical Measurement Severity Exposure Business Measurement Cost Risk Presentation Remedial Tactical Strategic Chapter 12: Integrating the Results 317 Integration Summary Mitigation Test Pilot Implement Validate Defense Planning Architecture Review Architecture Review Structure Awareness Training Awareness Program Incident Management Building a Team People Mission Constituency Organizational Structure Defining Services and Quality CERT Forms Security Policy Data Classification Organizational Security Conclusion Index 361