Penetration testing: exposure of fallacies 1-14



Similar documents
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

SAST, DAST and Vulnerability Assessments, = 4

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

(WAPT) Web Application Penetration Testing

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

WHITEPAPER. Nessus Exploit Integration

Adobe Systems Incorporated

Web App Security Audit Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Pentests more than just using the proper tools

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Overview of the Penetration Test Implementation and Service. Peter Kanters

Exam 1 - CSIS 3755 Information Assurance

External Supplier Control Requirements

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Data Breaches and Web Servers: The Giant Sucking Sound

QuickBooks Online: Security & Infrastructure

Using Free Tools To Test Web Application Security

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Information Security Services

Enterprise level security, the Huddle way.

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Pentests more than just using the proper tools

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Penetration Testing. Presented by

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Penetration Testing 2014

Penetration Testing in Romania

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

FORBIDDEN - Ethical Hacking Workshop Duration

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Supplier Security Assessment Questionnaire

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Passing PCI Compliance How to Address the Application Security Mandates

WebCruiser Web Vulnerability Scanner User Guide

About Effective Penetration Testing Methodology

Metasploit The Elixir of Network Security

5 Simple Steps to Secure Database Development

Standard: Web Application Development

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Enterprise Computing Solutions

Penetration Testing. Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

SWAT PRODUCT BROCHURE

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Tutorial 2. May 11, 2015

Vulnerability Management

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Network Security Audit. Vulnerability Assessment (VA)

Working Practices for Protecting Electronic Information

Penetration Testing: Lessons from the Field

Penetration: from Application down to OS

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Security + Certification (ITSY 1076) Syllabus

Cloud Technology Platform Enables Leading HR and Payroll Services Provider To Meet Solution Objectives

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Application Security Testing. Generic Test Strategy

Computer Security: Principles and Practice

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

OWASP Top Ten Tools and Tactics

Introduction to Penetration Testing Graham Weston

WordPress Security Scan Configuration

A Decision Maker s Guide to Securing an IT Infrastructure

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ACKNOWLEDGMENT. I would like to thank Allah for giving me the patience to work hard and overcome all the

Click to edit Master title style

CYBERTRON NETWORK SOLUTIONS

Penetration Testing Service. By Comsec Information Security Consulting

Loophole+ with Ethical Hacking and Penetration Testing

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

CompTIA Security+ (Exam SY0-410)

Detecting SQL Injection Vulnerabilities in Web Services

SERENA SOFTWARE Serena Service Manager Security

Intrusion detection for web applications

Rational AppScan & Ounce Products

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Guideline on Vulnerability and Patch Management

Penetration Testing - a way for improving our cyber security

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Annex B - Content Management System (CMS) Qualifying Procedure

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Top Web Application Security Issues. Daniel Ramsbrock, CISSP, GSSP

Transcription:

Penetration testing: exposure of fallacies 1-14

Statistics of the vulnerabilities distribution (2014) Network perimeter: 73% 52% 34% Ability to connect third-party equipment without pre-authorization Weak passwords or weak encryption algorithms for it s storage and transfer usage Open protocols for data transfer usage 11% Outdated security updates Web-applications: 62% Sensitive data exposure 18% Cross-Site Request Forgery 12% 6% 12% 12% Cross-Site Scripting SQL Injections 4-14

Administrator: Statistics of the weak password protection Less than 10 symbols 50% 123456 29% admin 21% Blank password Qwerty123 1 digit P@ssw0rd 14% 14% 14% 14% User: Less than 10 symbols 57% P@ssw0rd 6 symbols: just small capital letters and digits 36% 36% 123456 29% 5-14

Penetration testing goal 1. As a part of security audit: - to justify the need for security level raising; - to demonstrate the existing vulnerabilities 2. In the form of independent test: - to detect hidden security vulnerabilities; - to assess residual risks 6-14

Independent testing benefits: - objectivity of the test results; - saving on licensing; - to specific skills requirements for experts; - ensuring continuity of business processes; - quality of results analysis and professional recommendations Exposure of fallacies nr. 1 - phobia 7-14

Testing execution Ethical rules: - transparent scanning process in accordance with approved course of action; - any dangerous action coordinate with customer; - critical business processes do not interrupted; - detail report about testing results; - well known technics for testing Exposure of fallacies nr. 2 high price 8-14

Phase 1: Pre-engagement Interactions - testing approach: (Black box, Grey Box, White Box); - the type and number of the test system determination; - Intelligence Gathering 9-14

Phase 2: Vulnerability Analysis - vulnerability test execution; - preliminary results analysis; - retest Exposure of fallacies nr. 3 scan VS pentest 10-14

Scan results: example Graphics Mode Analytical Mode 11-14

Pentest results: example Blind SQL Injection: In according to Community developed Dictionary of Software Weakness Types (http://cwe.mitre.org/data/definitions/89.html), the automated analysis fulfilled by security scanner might not be able to recognize correctly some part of the SQL commands. Thus, the protected measures introduced into Entity Framework 5 technology prevent any possible SQL Injection due to only parameterized query usage at the web-applications. Conclusion: The extra human examination of the affected forms explains the testing results as false positive because of the absence concatenation operations. The reported vulnerability cannot exploit by attackers. 12-14

Phase 3: report generation Report for authorities contains: -overall test results; -overall vulnerability level assessment; -general recommendations for the network infrastructure security level improvement; -conclusions Report for IT technicians contains: -the testing method description; -the testing method features; -detailed test results distributed over the tested nodes; -vulnerability description detail; -the security protection level for each tested node; -technical recommendations designated to vulnerabilities exploitation risk mitigation 13-14

Report for IT technicians: the testing results 13/a-14

Report for IT technicians: the results analysis 13/b-14

Report for IT technicians: vulnerabilities description 13/c-14

Report for IT technicians: recommendations for mitigation 13/d-14

Phase 4: recommendations preparation The most general recommendations: - the systems and software patching; - backup and recovery information management; - Information security risk assessment and risk management; - business contingency and disaster recovery planning for the critical systems; - incident management; - employees information security training. Exposure of fallacies nr. 4 what to do with pentest results 14-14

Andrei SOROCHIN Information Security Officer str. Calea Iesilor 10, MD-2069, Chisinau, Moldova integrator.md phone: +37322509750 fax: +373 22509710 e-mail: sales@dsi.md

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information