!!!!!!!!!!!!!!!!!!!!!!



Similar documents
Penetration Testing Report Client: Business Solutions June 15 th 2015

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Vulnerability Assessment and Penetration Testing

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Cyber Essentials. Test Specification

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

INFORMATION SECURITY TESTING

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Payment Card Industry (PCI) Penetration Testing Standard

What is Penetration Testing?

Payment Card Industry (PCI) Executive Report 08/04/2014

Client logo placeholder XXX REPORT. Page 1 of 37

Vinny Hoxha Vinny Hoxha 12/08/2009

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

by Penetration Testing

EC-Council Certified Security Analyst (ECSA)

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Evaluation of Penetration Testing Software. Research

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

CONTENTS. PCI DSS Compliance Guide

Penetration Testing Services. Demonstrate Real-World Risk

Course Title: Penetration Testing: Security Analysis

External Network Penetration Test Report

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Penetration Testing with Kali Linux


93% of large organisations and 76% of small businesses

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Security Management. Keeping the IT Security Administrator Busy

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Protecting Your Organisation from Targeted Cyber Intrusion

Exploiting Transparent User Identification Systems

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Network Penetration Testing

Service Definition (Q-D1) Penetration Testing. Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

Payment Card Industry (PCI) Executive Report 10/27/2015

IT HEALTHCHECK TOP TIPS WHITEPAPER

Vulnerability Management

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Vulnerability Assessment and Penetration Testing

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

March

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Penetration Testing Workshop

Top 20 Critical Security Controls

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Penetration Test Report

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

The Nexpose Expert System

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

An Introduction to Network Vulnerability Testing

Security and Vulnerability Testing How critical it is?

Course Duration: 80Hrs. Course Fee: INR (Certification Lab Exam Cost 2 Attempts)

SANS Top 20 Critical Controls for Effective Cyber Defense

June 2014 WMLUG Meeting Kali Linux

Cyber Essentials PLUS. Common Test Specification

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Service Definition (Q-D1) Vulnerability Scan (LITE Test) Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Hackers are here. Where are you?

Information Security Services

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Demystifying Penetration Testing

A Decision Maker s Guide to Securing an IT Infrastructure

(WAPT) Web Application Penetration Testing

PCI-DSS Penetration Testing

NETWORK PENETRATION TESTING

Anatomy of an ethical penetration test

April 11, (Revision 2)

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Penetration Testing - a way for improving our cyber security

IBM. Vulnerability scanning and best practices

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

PCI DSS Reporting WHITEPAPER

Payment Card Industry (PCI) Data Security Standard

Kerem Kocaer 2010/04/14

INFORMATION SECURITY TRAINING CATALOG (2015)

Locking down a Hitachi ID Suite server

Transcription:

Infrastructure Security Assessment Methodology January 2014 RSPS01 Version 2.1 RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 1

Document Details Any enquires relating to this document should be addressed to the document author directly. Reference RSPS01 Version 2.1 Original Release January 2014 Last Updated January 2014 Author Gavin Watson gavin.watson@randomstorm.com 07595 487 064 RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 2

i Table of Contents Introduction 4 Document Purpose 4 Document Structure 4 Security Testing 5 External Testing 5 Internal Testing 5 Black Box Testing 5 White Box Testing 6 Review Testing 6 Testing Methodology 7 High Level Overview 7 Initial Scoping 8 Reconnaissance 8 Network Traffic Analysis 8 Port/Service Discovery 9 Assessment 9 Automated Vulnerability Assessment 9 Manual Confirmation / Exploitation of Infrastructure Vulnerabilities 9 Manual Confirmation / Exploitation of Web Application Vulnerabilities 10 Brute-force / Wordlist Attacks 10 Post Exploitation Techniques 10 Operating System/Service Version NVD Cross-Reference 11 Reporting 11 Presentation 11 Appendix A - About RandomStorm 12 Appendix B - Professional Services 13 Penetration Testing Team 13 Compliance Team 13 Web Application Testing Team 13 PCI ASV Team 13 Appendix C - Safe Checks 14 RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 3

i Introduction Document Purpose RandomStorm adopt a proven information security assessment methodology based on industry recognised guidelines including the NIST Special Publication 800-115 and the Open Source Security Testing Methodology Manual (OSSTMM). This methodology is followed by all consultants on all infrastructure security assessments, ensuring that a thorough and accurate assessment is performed. In addition, the use of a formal methodology helps to maintain consistency among the various assessments performed by different consultants. The purpose of this document is to provide a clear and concise explanation of the various components of RandomStorm s methodology. In each section the various tools used by the consultants will be listed along with any applicable NIST SP800-115 documentation references. Document Structure This document contains the following four sections: 1. Introduction 2. Security Testing This section explains the most common techniques used to perform infrastructure security assessments. 3. Testing Methodology This section covers the various components of the methodology in the order that they are performed. The most common tools used by the RandomStorm consultants are listed under the title, Associated Tools in each section. Where applicable NIST references will be provided which can be found under the title, 4. Appendix Documents This section includes appendix documents that contain additional information that readers may find useful. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 4

i Security Testing External Testing An external infrastructure security assessment is usually performed from the assessor s office or data centre locations and targets the client s publicly facing network services. The assessment will identify software or configuration vulnerabilities associated with the target hosts. As these services are publicly available their security is a significant concern for the client. For example, should an attacker successfully compromise a service such as an external email portal, then they may be able to launch effective social engineering spear phishing attacks. Similarly, a successful compromise of the client s external VPN service could result in full remote access to the internal network. External testing often involves a greater emphasis on publicly available information and how it could be leveraged against the target business. RandomStorm s consultants will gather key pieces of information such as (but not limited to) email addresses, website unique words, associated social media information and document meta data author names. This information will be examined and used to perform a realistic simulation of an external attack. Typically, the external assessment is performed by a separate team and information is not shared with those performing the internal assessment. Internal Testing An internal security assessment is performed onsite at the client s location and the consultant will be directly connected to the corporate network. This assessment will identify software and configuration vulnerabilities associated with the servers, workstations and infrastructure devices that make up the client s internal network. As the consultant is directly connected to the network, the assessment is simulating an attacker having successfully gained access externally or attacks from internal threats such as disgruntled employees. Internal tests often yield significantly more results than external tests as a far greater number of hosts are within scope. Additionally, the live services hosted by internal servers are generally less restricted than those within an externally facing DMZ. Where external assessments focus of leveraging publicly available information against a handful of services, internal assessments focus on identifying the most significant vulnerabilities from a typically large scope. Black Box Testing During Black Box testing, the client will not provide any detailed information about the target systems beyond their IP addresses. This type of assessment is the most realistic simulation of a real world attack. As no information is provided, the initial reconnaissance stages take a greater precedence, establishing a foundation for the remainder of the test. Clients can request that an external assessment be performed without providing any target IP addresses. The consultants will be expected to perform passive online reconnaissance to identify any targets associated with the client. These targets will then be presented to the client who will then confirm which are to be fully tested. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 5

White Box Testing During White Box testing, the client will provide RandomStorm with detailed information about the target systems. With a greater insight into the systems the consultant would be able to identify more vulnerabilities than in Black Box testing. Therefore, White Box testing can be considered more thorough but at the expense of a realistic test. Generally, a client will perform Black Box testing to identify the low hanging fruit, then perform White Box testing to identify the more subtle or theoretical security issues. Review Testing The information security assessment may include non-intrusive / passive testing techniques designed to gather information that may reveal additional security weakness. As these tests are passive they should not pose a significant threat to the network or services. Typically, these tests would include reviews of logs, system configurations, firewall rulesets and business documentation such as relevant procedures and policies. Documentation Review - NIST SP 800-115 - 3.1 Log Review - NIST SP 800-115 - 3.1 Ruleset Review - NIST SP 800-115 - 3.2 System Configuration Review - NIST SP 800-115 - 3.3 Network Sniffing - NIST SP 800-115 - 3.4 File Integrity Checking - NIST SP 800-115 - 3.4 RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 6

i Testing Methodology High Level Overview 1. IN ITI AL Testing Methodology 2. RECO NN A ISS A E NC EPORTING R. 4 ON TATI N E ES R P ING OP SC 5. RandomStorm s infrastructure security assessments follow a 5 step methodology as show in the diagram below. 3. ASSESSMEN T RandomStorm believe that these five steps are crucial in performing a thorough and accurate assessment, providing value for the client and ultimately improving the security of the target network. This methodology is cyclical in that the results of the assessment presented to the client, and provided as a report, feed back into the scope of additional tests. As security is a process rather than a solution, this methodology is designed to work along side the ongoing process. The 5 steps are broad categories and can generally be applied to multiple types of infrastructure assessment, regardless of whether it is internal, external or some other combination. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 7

Initial Scoping The consultants work closely with the client to agree on a scope that meets the client s specific security requirements. This will typically involve meetings and / or conference calls to discuss the assessment drivers, the various technologies involved, the results of previous assessments, details of unstable hosts, location of critical business systems, assessment caveats, location of sensitive information and any other relevant details that could affect the test. Confirming a scope with the client at this stage is critical as any testing outside of the defined scope could breach the Computer Misuse Act 1990 as well as other information security relevant legislations. Prioritising and Scheduling Assessments - NIST SP 800-115 - 6.1 Selecting and Customising Techniques - NIST SP 800-115 - 6.3 Assessment Logistics - NIST SP 800-115 - 6.4 Assessment Plan Development - NIST SP 800-115 - 6.10 Legal Considerations - NIST SP 800-115 - 6.12 Reconnaissance The consultants will attempt to gather as much information as possible about the target company and target hosts. For an external assessment this information may include DNS records, email addresses, usernames, employee names, employee hierarchy, social media posts and website document metadata. The gathered information will be used to aid in attacks against remote administration services, web application login portals and any other attack vectors identified. When directly connected to a corporate network, reconnaissance may involve passively collecting network information for use in the assessment. 1. Network Traffic Analysis The visible network traffic is collected and analysed using packet capture tools. The aim of this test is to identify issues such as clear text credentials and unauthenticated routing information. Traffic analysis can also be used to partially map out network resources and identify security issues with traffic flow. Associated Tools Wireshark, dsniff, tpcdump, Cain & Abel The reconnaissance stage also focuses on active target identification which involves identifying live services, their version and information about the hosting device. This information lays the foundation for the vulnerability assessment, and the majority of this information is used to identify software associated vulnerabilities. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 8

2. Port/Service Discovery One of the initial stages of any internal assessment is to identify live ports/services on the target hosts through automated port scanning. The remote operating system is fingerprinted and the service versions are identified. Associated Tools Nmap, Unicorn Scan, xprobe, SinFP and netcat Network Discovery - NIST SP 800-115 - 4.1 Network Port and Service Identification - NIST SP 800-115 - 4.3 Wireless Scanning - NIST SP 800-115 - 4.6 Assessment After completion of the reconnaissance stage the gathered information is used as a basis for the vulnerability assessment, which provides security information to then conduct the full manual penetration test. The objective is to identify all possible vulnerabilities that could potentially lead to a compromise, and to provide a worst case scenario. Coordination - NIST SP 800-115 - 7.1 Assessing - NIST SP 800-115 - 7.2 Analysis - NIST SP 800-115 - 7.3 Data Handling - NIST SP 800-115 - 7.4 1. Automated Vulnerability Assessment The results of the initial vulnerability scans provide the foundations for the entire assessment. The automated tools will probe each live service and identify known vulnerabilities based on the results of version banner checks and vulnerability specific plugins. This is the most network intensive part of the assessment as multiple checks will be conducted simultaneously on multiple hosts. Associated Tools Nessus, OpenVas, Saint, Nexpose Vulnerability Scanning - NIST SP 800-115 - 4.4 2. Manual Confirmation / Exploitation of Infrastructure Vulnerabilities The consultant will manually confirm the high level CVSS Score 7-10 vulnerabilities identified. This may involve using techniques such as (but not limited to) exploitation code, malformed queries and password attacks, depending on the vulnerability identified. The manual confirmation of vulnerabilities reduces the chances of false positives being RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 9

reported on. In addition, the compromise of target hosts provides a platform on which to identify additional issues (post-exploitation). Associated Tools Metasploit and Core Impact 3. Manual Confirmation / Exploitation of Web Application Vulnerabilities The automated scanning results will return low level Web application issues, considered the lowest hanging fruit. Therefore, a Web application specific assessment is performed to identify more complex vulnerabilities. As the consultant elevates their privileges and compromises additional services they will attempt to access more areas of the scope to achieve their main objective. Therefore, this stage of the assessment will also examine vulnerabilities associated with areas such as network segmentation and firewall restrictions. The consultant will attempt to identify security weaknesses in the infrastructure that may allow them to access restricted areas such as a cardholder data environment (CDE) in assessments driven by PCI DSS compliance. Associated Tools Burp Suite Professional, WebStorm, SQLMap, Nikto, WPScan, DNSRecon, DirBuster, theharvester, w3af, SSLScan and Nmap Penetration Testing - NIST SP 800-115 - 5.2 4. Brute-force / Wordlist Attacks Any service that supports authentication will be assessed with either brute-force or wordlist attacks to identify weak passwords and other security issues. The most common services assessed are Telnet, SSH, FTP, SMB, LDAP, MSSQL and RDP. Associated Tools Hydra, Medusa, Burp and Metasploit Modules Password Cracking - NIST SP 800-115 - 5.1 5. Post Exploitation Techniques Once targets have been compromised it is then possible to identify additional vulnerabilities. These will often include local administrator password reuse, the use of weak hashing methods such as LM, cached credentials and weak domain admin passwords. Associated Tools Tools used: Metasploit, Incognito, Mimikatz and fgdump RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 10

6. Operating System/Service Version NVD Cross-Reference The operating system and service versions found will be cross-referenced with the National Vulnerability Database to identify issues that the automated scanners may have missed. Any new vulnerabilities are confirmed when onsite to reduce the possibility of false positives. Reporting Once all of the assessment data has been collected, the next phase is to analyse this data and create the report documents. The main report will contain a management summary, list of prioritised security issues, and remediation advice. An appendix is also supplied containing all the security information gathered during the assessment. Mitigation Recommendations - NIST SP 800-115 - 8.1 Reporting - NIST SP 800-115 - 8.1 Remediation/Mitigation - NIST SP 800-115 - 8.2 Presentation Once the full assessment report is created, it is uploaded to the secure document area of the RandomStorm Secure Customer Portal. At the customer s request any findings can be presented onsite by the consultants in the form of a presentation to the management and / or employees. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 11

i Appendix A - About RandomStorm RandomStorm InfoSec & Compliance Specialists have years of experience helping a broad range of organisations address their IT and business security and related compliance issues. Our people typically hold CISSP, CEH, CCIE and CHECK qualifications and are members of the Institute of information security professionals. We offer bespoke services aimed at taking the pain out of managing security risks and meeting industry regulation; we specialise in implementing InfoSec improvement and compliance strategies; developing secure IT and business processes; and architecting secure IT infrastructure. RandomStorm s specialists have extensive experience of guiding companies of all sizes through the maze of compliance in areas such as FSA, ISO 27001, Sarbanes Oxley and PCI DSS compliance. RandomStorm are a CHECK Green Light company and employ a UK Security Cleared team of Penetration Testers that include CHECK Team Leaders and CHECK Team Members. RandomStorm are a PCI Approved Scanning Vendor and a PCI Qualified Security Assessor. RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 12

i Appendix B - Professional Services The following is a list of the professional services currently offered by the RandomStorm team. Penetration Testing Team Internal CHECK Security Assessment Internal PCI Security Assessment External Security Assessment Social Engineering Firewall Rule Review Server Build Review WiFi Security Assessment War Dialing Assessment VPN Security Assessment Citrix Security Assessment Training and Education VoIP Security Assessment Active Directory Security Review Compliance Team PCI DSS Gap Analysis PCI DSS Consultancy PCI DSS Assessments ISO/27001 Gap Analysis ISO/27001 Consultancy Physical Security Assessment Incident Response Polices and Procedures Creation Training and Education Web Application Testing Team Web Application Assessments Training and Education Code Review PCI ASV Team External PCI ASV Assessments RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 13

i Appendix C - Safe Checks All high level (exploitable) vulnerabilities will be securely reported to the client and onsite contact immediately on discovery The laptop used by the engineer will be fully screened for any malicious software that could pose a threat to the target network The automated scanners will have safe checks enabled, all Denial-Of-Service (DoS) checks disabled, and be throttled back (in terms of hosts checked simultaneously and the maximum amount of TCP connections) to reduce the chances of network disruption The assessment will not include the exploitation of vulnerabilities (such as through bufferoverflows) unless the client specifically requests it Wordlist and brute-force attacks will not be performed unless the target service has been confirmed through examination (and by the client) to have no lock-out threshold configured, or similar configuration that could result in network or service disruption Key services such as Microsoft Active Directory and Microsoft SQL databases will not be accessed using compromised accounts without confirmation from the client RandomStorm - Security Assessment Methodology - RSPS01 Version 2.1-2014 - Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information