Penetration testing: exposure of fallacies 1-14
Statistics of the vulnerabilities distribution (2014) Network perimeter: 73% 52% 34% Ability to connect third-party equipment without pre-authorization Weak passwords or weak encryption algorithms for it s storage and transfer usage Open protocols for data transfer usage 11% Outdated security updates Web-applications: 62% Sensitive data exposure 18% Cross-Site Request Forgery 12% 6% 12% 12% Cross-Site Scripting SQL Injections 4-14
Administrator: Statistics of the weak password protection Less than 10 symbols 50% 123456 29% admin 21% Blank password Qwerty123 1 digit P@ssw0rd 14% 14% 14% 14% User: Less than 10 symbols 57% P@ssw0rd 6 symbols: just small capital letters and digits 36% 36% 123456 29% 5-14
Penetration testing goal 1. As a part of security audit: - to justify the need for security level raising; - to demonstrate the existing vulnerabilities 2. In the form of independent test: - to detect hidden security vulnerabilities; - to assess residual risks 6-14
Independent testing benefits: - objectivity of the test results; - saving on licensing; - to specific skills requirements for experts; - ensuring continuity of business processes; - quality of results analysis and professional recommendations Exposure of fallacies nr. 1 - phobia 7-14
Testing execution Ethical rules: - transparent scanning process in accordance with approved course of action; - any dangerous action coordinate with customer; - critical business processes do not interrupted; - detail report about testing results; - well known technics for testing Exposure of fallacies nr. 2 high price 8-14
Phase 1: Pre-engagement Interactions - testing approach: (Black box, Grey Box, White Box); - the type and number of the test system determination; - Intelligence Gathering 9-14
Phase 2: Vulnerability Analysis - vulnerability test execution; - preliminary results analysis; - retest Exposure of fallacies nr. 3 scan VS pentest 10-14
Scan results: example Graphics Mode Analytical Mode 11-14
Pentest results: example Blind SQL Injection: In according to Community developed Dictionary of Software Weakness Types (http://cwe.mitre.org/data/definitions/89.html), the automated analysis fulfilled by security scanner might not be able to recognize correctly some part of the SQL commands. Thus, the protected measures introduced into Entity Framework 5 technology prevent any possible SQL Injection due to only parameterized query usage at the web-applications. Conclusion: The extra human examination of the affected forms explains the testing results as false positive because of the absence concatenation operations. The reported vulnerability cannot exploit by attackers. 12-14
Phase 3: report generation Report for authorities contains: -overall test results; -overall vulnerability level assessment; -general recommendations for the network infrastructure security level improvement; -conclusions Report for IT technicians contains: -the testing method description; -the testing method features; -detailed test results distributed over the tested nodes; -vulnerability description detail; -the security protection level for each tested node; -technical recommendations designated to vulnerabilities exploitation risk mitigation 13-14
Report for IT technicians: the testing results 13/a-14
Report for IT technicians: the results analysis 13/b-14
Report for IT technicians: vulnerabilities description 13/c-14
Report for IT technicians: recommendations for mitigation 13/d-14
Phase 4: recommendations preparation The most general recommendations: - the systems and software patching; - backup and recovery information management; - Information security risk assessment and risk management; - business contingency and disaster recovery planning for the critical systems; - incident management; - employees information security training. Exposure of fallacies nr. 4 what to do with pentest results 14-14
Andrei SOROCHIN Information Security Officer str. Calea Iesilor 10, MD-2069, Chisinau, Moldova integrator.md phone: +37322509750 fax: +373 22509710 e-mail: sales@dsi.md