PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

Similar documents
Five keys to a more secure data environment

External Supplier Control Requirements

What is Penetration Testing?

Avoiding the Top 5 Vulnerability Management Mistakes

Defending Against Data Beaches: Internal Controls for Cybersecurity

Technical Testing. Network Testing DATA SHEET

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Information Security Services

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Perspectives on Cybersecurity in Healthcare June 2015

SECURITY. Risk & Compliance Services

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Continuous Network Monitoring

Penetration Testing Services. Demonstrate Real-World Risk

What Do You Mean My Cloud Data Isn t Secure?

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

How To Test For Security On A Network Without Being Hacked

Where every interaction matters.

Vulnerability management lifecycle: defining vulnerability management

Practical Steps To Securing Process Control Networks

September 20, 2013 Senior IT Examiner Gene Lilienthal

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Protecting Your Organisation from Targeted Cyber Intrusion

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber Security Management

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Defending Against Cyber Attacks with SessionLevel Network Security

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Cybersecurity and internal audit. August 15, 2014

PCI Compliance Updates

Top 20 Critical Security Controls

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

IT Security Testing Services

Cyber R &D Research Roundtable

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

FREQUENTLY ASKED QUESTIONS

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

BIG SHIFT TO CLOUD-BASED SECURITY

Fighting Advanced Threats

Using Risk Modeling & Attack Simulation for Proactive Cyber Security Predictive Solutions for Effective Security Risk Management

05.0 Application Development

Cyber Security Metrics Dashboards & Analytics

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Cyber Risk to Help Shape Industry Trends in 2014

The Protection Mission a constant endeavor

locuz.com Professional Services Security Audit Services

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Spear Phishing Attacks Why They are Successful and How to Stop Them

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Penetration Testing Service. By Comsec Information Security Consulting

Incident Response 101: You ve been hacked, now what?

Effective Software Security Management

Goals. Understanding security testing

Secure Web Applications. The front line defense

Payment Card Industry (PCI) Penetration Testing Standard

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Cyber Security. A professional qualification awarded in association with University of Manchester Business School

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

SECURITY CONSIDERATIONS FOR LAW FIRMS

PCI DSS Overview and Solutions. Anwar McEntee

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Enterprise Computing Solutions

Passing PCI Compliance How to Address the Application Security Mandates

Vulnerability Management

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

Extreme Networks Security Analytics G2 Vulnerability Manager

Eliminating Cybersecurity Blind Spots

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

Metasploit The Elixir of Network Security

Penetration Testing in Romania

Transcription:

PENETRATION TESTING GUIDE www.tbgsecurity.com 1

Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a penetration test differ from an automated vulnerability scan?... 3 What are the goals of a... 3 Why should we have a penetration test performed?... 3 What should we expect from the penetration testing process?... 4 Is testing disruptive to our environment? Will our systems go down?... 4 How often should we do a... 4 How is the scope defined for a... 4 What qualifications should the penetration testing team possess?... 5 What documentation should I expect to receive when the testing is complete?... 5 How do we prepare for a... 5 We have our website hosted with a third party. Should we test it?... 5 Should we fix all of the vulnerabilities that are reported?... 5 What are typical costs for a... 6 How much time is needed to perform a typical... 6 Can we do our own penetration testing?... 6 My customer wants to see the results of our penetration test. Should I share the results with outside parties?... 7 What are the different kinds of penetration tests?... 7 www.tbgsecurity.com 2

What is a A penetration test is a study of the effect of vulnerability against a target or targets. The targets can consist of systems, networks, applications or people or any combination of these. During a penetration test, we assume the identity of an attacker and attempt to gain unauthorized access, and through a series of attacks, expand our influence over our target of evaluation. A penetration test measures the effectiveness of security controls while being flexible enough to adapt as obstacles present themselves. What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about? The terms Ethical Hacking and Penetration Testing are synonymous. Each refer to a sanctioned assessment of security controls through an active attempt to subvert said controls. Ethical Hackers are skilled in the same disciplines that actual cyber hackers (criminals) are skilled in. By leveraging this unique skill set it is possible to get a hackers eye view of your environment. How does a penetration test differ from an automated vulnerability scan? The main difference between vulnerability scans and penetration tests is that penetration tests are adaptive, contextual and multidimensional in approach where vulnerability scans are far less aware and non-adaptive. But where vulnerability scans lack in the way of context, they make up for in the form of comprehensiveness. If vulnerability scan data were available to a penetration test, this information could surely provide valuable intelligence that then could be used in more sophisticated attacks that would not be possible if a vulnerability scan were used alone. Both solutions are necessary for a truly mature approach. What are the goals of a The goals of a penetration test are not set in stone, but are instead determined on a case-by-case basis. The penetration tester will meet with the client before the onset of an engagement to gage the client s goals. At the most rudimentary level the goal is to gain access to some network, system or application, in a manner that is covert and ultimately proves a genuine risk to a loss of confidentiality or integrity of sensitive data. If no specific goals are set we will typically attempt to get in and escalate our influence to that of a Domain Admin (assuming the environment is a Microsoft Active Directory environment). Why should we have a penetration test performed? The information security threat landscape is ever evolving, and simple passive methods of protection can not possibly keep up with new and existing threats. A vulnerability scan is very good at finding known flaws, and anti-virus / anti-malware detection is likewise good at finding known threats, but modern day threat actors are very good at exploiting what is not known. Despite an organization's best efforts to implement security controls, those controls are only as good as the sum of all of their parts, and it's just as easy to mis-configurable any one of these parts as it is to properly configure it. The penetration test, in a sense, is looking for that proverbial needle in the haystack. We seek to find the 1 or 2 issues within the larger interconnected web of controls, and see where each successful execution will lead. A successful security program is a combination of controls. www.tbgsecurity.com 3

Those mis-configurations are out there, and what the professional penetration test will tell you is how well the entire security program, with all of its controls, is situated to detect and detain these threats when they appear. What should we expect from the penetration testing process? A penetration test is an uncontrolled process in that the penetration testers typically do not plan to interact very much with the target in a controlled way. Most tasks are subversive and covert in nature, and therefore must remain as uncontrolled as possible. If the penetration test target is an internal network, then a staged system (a dropbox) is typically deployed. This too can be done in a covert manner as part of a physical penetration test, or could be placed on the network ahead of the initiation of the test by the customer. Testing will commence, and once all testing activities are completed, reports will be generated and delivered to the customer. There will typically be a debriefing and a chance for customer comments. Any changes to the draft reports will be made and delivered. Sometimes penetration testers will be asked to validate corrective action measures and sometimes a customer might commission a full retest after a full mitigation plan has been executed. Is testing disruptive to our environment? Will our systems go down? Because penetration testing is largely a manual process, the penetration tester has full control of what is done within the target of evaluation. It is generally not very useful to a penetration tester to introduce a denial of service condition since one of the primary goals of a penetration test is to be covert. The penetration test alone is extremely unlikely to cause any service disruptions unless that is something the client decides to include as part of the testing parameters (which is extremely rare). How often should we do a Network and Application penetration tests are often performed minimally once every year. Certain information security standards call for it to be done more often when major changes occur within the network, when application upgrades occur or when infrastructure or architecture changes significantly (see PCI requirement 11.3). Additionally, many of our customers require any newly acquired software be tested before being put into production. This includes cloud based SaaS and PaaS model applications. This is a very important point since much of our sensitive data is moving into the the cloud. This move might remove some responsibility, but it does not automatically remove the threats to the asset, and might even introduce new threats. How is the scope defined for a Scope is mutually agreed upon between the client and the penetration tester and can vary significantly in size anywhere between 1 system to 1 network or a number of networks. The scope will be contingent on the goals the client is set for the penetration test. www.tbgsecurity.com 4

What qualifications should the penetration testing team possess? Penetration testing teams should contain multiple disciplines but most commonly a strong networking and program focus is necessary to achieve the desired results. Much of what separates a good penetration test from a mediocre one is mindset. A penetration tester has a unique perspective when presented with a set of facts. Most people see what is meant to be seen while the penetration tester is capable of seeing what is there, but hidden. Since these soft-skills are hard to quantify it is necessary to interview the penetration tester to gain a feel for the breadth of his/her experience. Check their resume and their references before you buy. What documentation should I expect to receive when the testing is complete? At a minimum the penetration tester should deliver an executive summary of findings which includes an overview of what was accomplished and what if any major issues were uncovered. This should be followed by a detailed summary report that outlines each issue uncovered, an assessment of risk for each issue with some context explaining how the risk rating was chosen and with recommended corrective actions clearly outlined. A full walkthrough of the penetration exercise should be included where relevant. Oftentimes additional reports might also be delivered to support the findings in the summary reports. For instance, it is common to run vulnerability scans during a penetration test, and those scan reports might be delivered under separate cover. How do we prepare for a How Much or how little you prepare for a penetration test will again depend on the goals and scope defined for a specific test. We typically recommend that you use the penetration test to validate your incident preparedness and therefore the less you prepare the better. That said, there are certainly some tests that call for a greater amount of preparation. For instance if the target is a web application, there will be a need to provision accounts and it probably makes sense to provide a demonstration of the functionality of the application. We have our website hosted with a third party. Should we test it? Unequivocally Yes! The fact that the web site is hosted at a third party means that there are potential threats outside of your control. What if an attacker could access the web server management interface? Without question you should test your hosted applications. Should we fix all of the vulnerabilities that are reported? All vulnerabilities should be addressed. For any identified issue there will be a degree of risk associated with the finding. We attempt to apply as much relevant context to each finding, and certainly high-risk issues should be addressed in an expedient manner. Sometimes there are a large number of findings, particularly when automated vulnerability scans are run as part of the penetration test. Once you receive all of your reports, a www.tbgsecurity.com 5

mitigation plan should be put in place, and each of the reported vulnerabilities should be addressed as part of the plan. For any vulnerability there are only 5 possible ways to address the issue: (1) Apply a vendor patch, (2) reconfigure a piece of software, (3) turn the affected service or server off, (4) apply a mitigating control (such as a firewall) to reduce risk or (5) simply choose to accept the risk (which in some cases might be a perfectly reasonable option). What are typical costs for a The cost for penetration testing varies greatly. A number of factors are used to determine pricing including, but not limited to the scope of the project, the size of the environment, the quantity of systems, and the frequency of testing. It is critical to have a detailed scoping meeting to produce a very clear understanding of the needs, and develop a statement of work prior to engaging any penetration test. Ideally a penetration test should be performed on a xed-fee basis to eliminate any unexpected costs or unplanned expenditures. The quoted fee should include all labor and required testing tools. Statements of work that only provide estimates of the work effort should not be entertained. How much time is needed to perform a typical penetration test? Adequate time should be reserved in advance of testing for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time. Generally speaking, two to four weeks is a good estimate for the duration of the entire engagement from planning through delivery. Can we do our own penetration testing? Typically, no, but it s not inconceivable. Many large organizations like major banks and the government agencies do their own internal penetration testing (often called Red Team testing or Red Team / Blue Team testing), but these organizations typically have information security budgets in excess of $1,000,000, and even these organizations will often augment their staff with 3rd party tests to gain a fresh perspective from time to time. The decision to insource or outsource the penetration test function typically comes down to if you have qualified individuals on staff to perform the test. Most professional penetration testers have a burden on them to remain current with modern attack techniques and this typically will require penetration testing to be a full time job, so to successfully conduct insourced penetration tests it is usually best to have dedicated staff whose only job is offensive security. www.tbgsecurity.com 6

My customer wants to see the results of our penetration test. Should I share the results with outside parties? The penetration test can be a very powerful marketing tool. It shows your sense of due diligence, and can often help ease concerns your customers might have about cyber security. In this day and age there is a heightened awareness of cyber threats in the public. Hardly a day goes by that you don t read about some high-profile news story that involved some sort of cyber crime. It ultimately is a business decision as to whether you disclose the results of a penetration test, but if you do decide to provide a copy of the penetration test findings, the penetration testing firm should provide an executive summary that s high-level enough to be presented to interested 3rd parties without disclosing any sensitive information. What are the different kinds of penetration tests? There are several different flavors of penetration tests and each address different threats. External Network Penetration Test External network penetration tests are focused on the exposed network perimeter. This is typically the best defended as it is exposed to everyone on the Internet. A weakness here could expose the internal network to attack. Perimeter networks must be fully protected at all times as they are under constant pressure from adversaries. The goal of the external network penetration test is typically to gain a foothold inside the DMZ or corporate network or to find some method of exfiltrating data via the exposed services available from the Internet. Internal Network Penetration Test The Internal penetration test is focused on simulating what risk a rogue system would pose to the enterprise. This simulation would typically employ a dropbox (unsanctioned computer with lots of tools on it) but would also be able to simulate the potential exposure to a sophisticated piece of malware or an advanced persistent threat. The goal of the internal penetration test is to find weaknesses at the network or host level that will allow the penetration tester to establish a command and control and to ultimately gain full administrative rights over the networks and systems on the network. Application Penetration Test Application penetration tests look at the controls of an application (typically a web application) that houses sensitive information. When testing an application the penetration tester will want to assess the way the authentication and authorization is handled. The penetration tester will also be focused on how the application maintains session management and tenant segregation. Logic flaws will be identified and tested along with common web based attack vectors such as injection flaws and buffer overruns. Finally, a review of the web server itself will typically be included with specific emphasis on attacks against any content management software that might be exposed. Testing web applications will typically require 2 or more sets of credentials and careful coordination with application custodians before and sometimes during the test. www.tbgsecurity.com 7

Physical Penetration Test During a physical penetration test the penetration tester will attempt to gain unauthorized access to an office space with the goal of testing physical controls such as doors, windows, security personnel and physical network connections. The ultimate goal of physical test is to install some device that can then be accessed externally and be used to initiate network and system attacks against the internal network; basically, the goal is to place the dropbox that can then be used to conduct the internal network penetration test. Social Engineering Test A Social Engineering test is an attempt to attack the weakest link in the the information security program: the user. During a social engineering test several methods could be deployed to either gain the trust of a user, or to simply trick them into doing something they should never do. The social engineering test is really a test of the corporate security awareness initiative. Some vectors of attack include: phishing emails, spare phishing emails, email spoofing, phone calls, and USB drops. The goal of a social engineering campaign is typically to trick one or more users into relinquishing their credentials or to getting them to click and install malware. NOTE: malware is typically not installed, and instead click through rates are monitored. OUR TEAM OF ETHICAL HACKERS WILL SHOW YOU WHERE YOUR VULNERABILITIES ARE WHETHER IT S AT THE NETWORK OR APPLICATION LAYER. OUR TEAM HAS YEARS OF EXPERIENCE SUCCESSFULLY HACKING THE MOST COMPLEX SYSTEMS AND NETWORKS. www.tbgsecurity.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information