Kevin Pescatello A Capstone Presented to the Information Technology College Faculty of Western Governors University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Security Assurance 22-Jan-2013
Abstract This paper will cover the importance of providing penetration-testing services that comply with laws and corporate governance. Most penetration testing services may or may not provide the proper structure for execution. Some of these events provide good testing scenario of what and how to test but fail to provide the supporting documentation, communication, and legal counsel throughout the process. This project will cover a real life penetration test initiated from start to finish including the best practices used and required for legally complying with laws and corporate governance as it should be. The paper will present a case study of a real penetration test, provide the business dynamics as well as the technical objectives required to test, and provide countermeasures for an organization. The paper will provide documentation and artifacts that support the legal and technical requirements in the appendix. The body of the paper will cover the testing preparation, methodology, and execution. All the information provided in the report will be changed to protect the identity of the client used in this paper. Page 2
Table of Contents Introduction... 1 Project scope... 1 Defense of the Solution... 2 Methodology Justification... 3 Organization of the Capstone Report... 3 Systems and Process Audit... 4 Audit Details... 5 Problem Statement... 6 Problem Causes... 6 Business Impacts... 7 Cost Analysis... 7 Risk Analysis... 8 Detailed and Functional Requirements... 10 Functional (end-user) Requirements... 10 Detailed Requirements... 11 Existing Gaps... 12 Project Design... 12 Scope... 12 Assumptions... 13 Project Phases... 13 Timelines... 16 Dependencies... 16 Resource Requirements... 16 Risk Factors... 17 Important Milestones... 17 Deliverables... 18 Methodology... 19 Approach Explanation... 20 Approach Defense... 21 Project Development... 22 Hardware... 22 Page 3
Software... 23 Tech Stack... 23 Architecture Details... 23 Resources Used... 23 Final Output... 23 Quality Assurance... 25 Quality Assurance Approach... 25 Solution Testing... 25 Implementation Plan... 26 Strategy for the Implementation... 26 Phases of the Rollout... 26 Details of the Go-Live... 28 Dependencies... 28 Deliverables... 28 Training Plan for Users... 29 Risk Assessment... 29 Quantitative and Qualitative Risks... 29 Cost/Benefit Analysis... 30 Risk Mitigation... 31 Post Implementation Support and Issues... 32 Post Implementation Support... 32 Post Implementation Support Resources... 33 Maintenance Plan... 34 Conclusion, Outcomes, and Reflection... 35 Project Summary... 35 Deliverables... 36 Outcomes... 36 Reflection... 37 References... 38 Appendix A: Network Devices... 39 Appendix B: Critical Services... 40 Page 4
Appendix C: Penetration Test Plan... 41 Appendix C: Penetration Test Action Plan (Con t)... 42 Appendix D: Audited IT Processes... 43 Appendix D: Audited IT Processes (Con t)... 44 Appendix E: Qualitative Risk Matrix... 44 Appendix F: List of Legal Concerns... 44 Appendix G: Sample Contract... 45 Appendix G: Sample Contract (Con t)... 46 Appendix H: Sample Contract (Con t)... 47 Appendix I: Data Breach Calculator Report... 47 Appendix J: Penetration Results and Countermeasures... 48 Executive Summary... 48 Test Objectives... 48 Port Scanning Results and Issues... 48 Scanning Windows machines... 48 Countermeasures... 49 DoS/DDoS Testing... 49 Countermeasures... 49 Application Server Testing... 50 Countermeasures... 50 Sniffing and MITM Attacks... 52 Countermeasures... 53 Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results... 54 Appendix AB: Nmap Scan Results... 56 Appendix AC: Nessus Scan Results Application Server MAXWELLSM... 56 Page 5
Appendix AD: Nessus Scan Results Network... 60 Appendix AE: Communication Plan... 60 Page 6
1 Introduction This paper outlines the issue of having a penetration test fail and details how an effective test is to work. What happens when a business requests a pen-test but the company providing the service does not get the requirements correctly? In addition, the pen-test company that performs the test does not always perform the test with best practices. The process of soliciting a request for proposal to identify security posture to planning is where the pen-test company may not provide accurate results. Often the meeting of the two companies is a short time frame and requires both sides not just to hear but listen to the requirements and provide a well-documented response. While the choice to get a pen-test is not difficult the dynamics or preparing and executing one is quite involved. Many penetration tests do not perform well as they should because of poor planning or communication and at times both. This paper will outline the costs, failures, motives, and methods needed to review the security posture at a company. Project scope This project will include the entire process of presenting the need for the penetration test, the acceptance with scope of work, signed written consent, communication plan, action plan, list of assets and scan type activities, penetration methods, documentation, and a paper report as attachments concluding the penetration test. This paper will not include any client specific information relating to the solicitation, presentation, and procurement of contract. The information provided in this paper demonstrates a theoretical scenario in which Certified Ethical Hackers have provided a best practices approach in security assessment and penetration testing. Most companies do not understand the need for a penetration test but will experience either a breach or denial of service that will affect them. Rather than waiting for the inevitable the project will provide research of how pervasive the intent of criminal minds permeate the internet seeking new targets. Once that message has been received and accepted the project will Page 1
2 detail the scope of work that will be conducted based on needs and cost. Time has dictated the direction of this project and so a sample agreement and action plan will be provided to demonstrate the fundamentals of penetration testing. The communication plan is key to this project s success as this is one of the pivotal factors that if not done correctly or at all will completely remove the effectiveness of testing. The scan type activities are going to be to enumerate the network and identify systems and when possible known vulnerabilities before attempting any penetration testing. Automated tools will help assess the situation while leaving the manual coding for the penetration test. This includes the methodology used in the test that will be automated and manual once targets are identified. All the activities herein will create documentation that will serve two purposes. The first purpose is to gain a better grasp at the inventory one holds onsite and associated risks. The second purpose will be to prepare the company for a security standard certification and accreditation. The final report will be the assessed security posture of the company and the countermeasures it should put in place to secure the infrastructure. Defense of the Solution This topic was chosen because the candidate has found that not all security providers follow best practices for penetration testing and often leave some fundamental part out that causes poor execution, results, and worse are the disappointed clients. The security industry requires that professionals provide best in class formulation of strategy when performing tests that are often not shared. The information security market has not realized its full potential in its effectiveness to secure corporate and public sector networks. The poor security practices in which information has been leaked is the cause for the spike in hacking events in 2012. The paper will go through the details and necessary activities of the perfect penetration test. It is Page 2
3 public knowledge that not all penetration-testing companies follow the best practices. It is also noted that not all penetration-testing companies have the same expertise. There will also be a survey of penetration testing companies to participate in a review based on what is going on in the industry. This review will be for the company taking the survey and for its view of the competitive landscape. Seeking participation in this survey is challenging because the survey asks for truthful but anonymous response. This information will support the solution and the reason for this research. Methodology Justification The following information explains what the root cause of the problem associated with penetration testing. This paper will go into detail after the process of soliciting the right company to perform a penetration test that details the security posture that are to interrupt business processes or reveal confidential information. There will be an actual penetration test that will incorporate the best practices explained herein that solves the problem of ineffective testing. There will be additional documentation attached herein the appendix providing the scope for the test and the reasons behind it. The causes and impact will address what normally happens during these engagements and what should happen. The paper will outline the framework required to test for a specific company detailing the action items that company has to take for information security assurance. An analysis will begin based on research of recent reports on data and intellectual theft, costs for testing, and the costs associated for not testing. Finally, the paper will address a solution that produces relevant results. Organization of the Capstone Report The report will go through and explain what needs is to be for a typical company looking for a penetration test. It will list and discuss the requirements, provide documentation examples Page 3
4 of the dynamics for preparing the company for this type of activity as well as the company preparing their assets for review. The path that the project will take will be one-step of activity followed by a discussion of best practices and where popular, submit the most common mistakes or caveats. The paper will detail the actual appointment of testing with a communication plan and planned tests. Notably, the testing can take different direction based on results found and require more or less effort depending on what is being tested for. This will be an example of how dynamic the process is and what can be learned from it. The artifacts created will provide insight to the business processes the company requires functioning and being profitable. This will also show where possible vulnerabilities that can be exploited or where devices fail. In the appendix is where these artifacts will be for reviewing. Systems and Process Audit In the following sections, the typical business is to audit the assets that are on site and pose a risk either by design and implementation. The company who is the subject of the penetration test will be listing all the devices in preparation for the test. Each asset owner responsible for the integrity and operation of that device will provide a list of devices and their function. The company will provide the business justification for the device and why it is in use today. This business use will be reviewed by the pen testing team to see if the services used justify the existence of the device on the network based on industry experience. This will be a form of checks and balance to what management provides as business use in their processes. If the two match then there is good cause for its existence. If there is a disparity of use then it is probably time to review its effectiveness. The list of processes associated with the assets will be in Appendix B. The search here is for a return on investment being associated with a process or asset. If none exists then why test it. Page 4
5 Audit Details The penetration test team was able to simulate penetration testing of an actual client and meet with a high-ranking officer to coordinate the evaluation of assets. Typical services that are provided in a company were also evaluated. This included network devices, services that ran on the network, applications, and the supporting processes. These supporting processes were not the type of processes that are normally audited in a security standard accreditation and certification but ones conducted in order to benefit directly from the device s purpose. We found that the company had purchased numerous network devices including switches that support enterprise class configurations and management and servers in Appendix A. The server on the network was consisting of one platform that we will be testing as well as unique services running. The IT department personnel that were interviewed explained their tasks associated with each device or service recorded in Appendix B. This document shows the critical services associated with devices in a map and this in a table for ease of reading. When the interview began, the approach was to determine what technology supported what business process and how many times technology is used. Beginning from the project bid being awarded there is human input required to enter in that data into the core business application called Streetsmarts. This was done by the operations manager and required a workstation and a LAN (Local Area Network) connection to the server and VoIP (Voice over Internet Protocol) services. Once the project is in the system and resources assigned to the project tickets are made for each truck leaving the yard with asphalt. The tickets possess project and customer information required for accounting and had to be entered into the system. This is the second time that technology has to be used in order to operate and provide a profit. In summary of the remaining processes that total number of technology dependent business Page 5
6 operations that included network devices was twelve (12). It is true that if the server were down for a long period there would be no way for the company to keep efficient records and remain profitable. There would be an increase in person-hours and contingent support processes to maintain some work flow but it would end the company s ability to compete successfully. Problem Statement The company called upon the pen testing team to ascertain where their security posture was in relation to their network device footprint. This was the first problem to address because they were asking a very vague question. What they should have asked was what must be done to ensure our internal services are not denied availability or the integrity of data to suffer business impact. The pen testing team introduced the company to a tool that they could use to establish what devices and services are important to stay running and their severity Appendix D. This is illustrated in the form of a device and process map, which can be seen as a list in Appendix B. Problem Causes The company knew about the recent rise in hacking events around the world and what was the possibility that it could happen to them. However, their approach was wrong in that they wanted the pen testing team to test what they had in place and give them a report based on patch level and weaknesses. They never thought about configurations, operational behavior with devices, or the users influence. What was discovered was that the network was all built on an untagged vlan with no other security precautions made to suppress layer two (2) exploits. The VoIP network ran on the same data network without an encrypted protocol like SRTP. There was anti-virus software but no intrusion detection or prevention device to alert or mitigate threats. Page 6
7 Business Impacts When a company looks to a professional service like penetration testing, they are looking for results that reveal their security posture. These results will give them the direction they need to move forward. Sophos Naked Security blog reports, By giving your pentesters a comprehensive overview of the application and access to architecture diagrams, configuration and even source code, you can give them a head-start and counter this asymmetry (McKerchar, 2012). This will help them align security around business processes as most of their processes run on the network infrastructure. The key here is to take the resultant report and use it for a road map to a more secure infrastructure. When a company does not invest in this type of assessment than the integrity of their business processes are at risk. The technology that helps business compete is also the same technology that can stop them. The business case is what must be done to determine the effectiveness of the company s network defenses that ensures the continuity of the business. Cost Analysis The costs required to perform the penetration test and reporting is based on size of company assets and the depth in which the testing should go. Typically, the costs start around $2,500.00 and range upward on average to $37,500.00 for most SMB (Small Medium Businesses). This will cover the testing and reporting but the action required on the company will be an extra cost. Average cost would equate to $150.00 to $200.00 hourly for skilled pen tester. Enterprise sized companies can expect to see something in a higher range depending on size and difficulty of masking the attack. The client that has agreed to the penetration test for this project and is looking to have the following tested; web application, network load resiliency, workstation, and domain controller. Page 7
8 The cost associated with such test will be reflected in the test plan and a schedule in Appendix entries C and F respectively. The cost will be $1,600.00 since the test is one type of each device and two services. Risk Analysis The risks associated with this process are that the normal behavior is to fail. Improper targets, no risk assessments, misinformed clients, no legal counsel sought before the engagement, and the selection of the wrong pen-testing group, will exhibit failure. We know the risks for an attack are high because we live in a much-interconnected world. Some startling facts will put things in perspective to get a penetration test done the right way. An October 2012 report from Imperva stated that the following attack types are on the rise in discussions on hacker forums; 19% DDoS and 19% for SQL injection. Notably, the article states that security professionals do not spend time on hacker forums to learn the tools and techniques (Imperva, 2012). Verizon Data Breach Investigation Report for 2011 highlights some of the most significant threats and their mode of insertion. It was reported that most data breaches were 98% stemmed from external agents, and 58% of all data theft was tied to activist groups. In addition, 98% attacks transpired on servers and were not difficult to execute (Verizon 2012). Therefore, it is paramount that when considering a penetration test that you know your systems and what to test. When trying to find statistics that support the success and failure of penetration tests it will be hard to acquire that data in the duration for this paper. A few inquiries had gone out to penetration testing companies and the feedback was minimal but this is what it reported. The following reports from the in-depth research beyond the right way and steps to conduct a penetration test. A company called Netragard was able to produce a publication that reflects the objective of this paper. In the publication, Netragard highlights the terminology and the differing Page 8
9 perspectives that make the objective penetration testing subjective to the buyer. It is unfortunate that not all companies are providing the best service in the terms of services advertised alone. Before that end is reached here is what Netragard had to say about terminology. Penetration testing is just that breaking through something to test an exploit. Since Penetration Tests are tests, they must determine the genuineness of the vulnerabilities that they identify, hence the word test. In most, if not all cases this determination is done through exploitation (Netragard, 2012). If you are going to test something, than do that. Most times clients buying a service think that vulnerability scanning and reporting is all that is necessary. This is incorrect. Penetration tests have a statistical average of success and failure. While these rates may not be easily discovered a recent survey of professionals has been included in this project. Averaging around 17% unsuccessful was the self-review most companies estimated making 83% of what they do is delivered and accepted. The industry peer review was 8% higher in the unsuccessful rate at 25% average 75% success on assignments. This project has made it explicitly clear that communication and educating the client what the penetration is intended for helps curb these ratios to a more successful rate. During the survey, many of these companies were given a chance to comment on the factors that help or inhibit a penetration test. The respondents stated the factors that help promote a successful penetration test from field experience were presented with the following key points. Effectiveness of the test would exhibit a white box test where network diagrams and user accounts are made available. Also noted in testing that automation can only take you so far and that creative manual testing will often provide points of entry. Social engineering while not utilized in this test has been a big provider of information among the general user population. Survey participants noted that even season security professionals on site would tip their hand to sensitive information providing a Page 9
10 way to plant a rootkit or back door. The following freestanding statements provide interesting points that support the project s goal technically and in communication. A respondent stated that having a good communication plan suggesting an agreement upon limits for testing is a good practice. Know the effects of the tools before you use them in hopes of observing the expected result. It was also reported a cooperative staff from the employing client to the pen test team often yields better results testing exactly what the client needed. Clients that take security serious and have policies surrounding security provide reports with close to zero exploits. The other side of effective penetration testing is when a test does not deliver what is outline in the test plan or even fail to test at all. Survey respondents stated that pen tests are treated like witch-hunt and that client balks and if anything is found they treat it as their own failure. Terminology, understanding what the objective of the penetration test is often miscommunicated, and terms are confused like vulnerability assessment and pen testing. Those two terms are not the same. Running tools that you are not familiar with yielding results adverse to the test plan and worse, adverse to the client s devices. Hardened network infrastructure is not reason for failure in a penetration test but while nothing may be exploited, the test ran according to plan. Detailed and Functional Requirements Functional (end-user) Requirements The company in this case is the end user that must provide documents and configurations to the pen testing team in order to make the best use of time and resources. This gathering of information must start in the operations manager office with the understanding that we need to speak with all the asset owners in order to capture the assets and the way that they are used. Since the client has a small operation, the current office was just fine. Legal counsel must be Page 10
11 sought as to represent the client s best interest and the consequences. Good and bad come can from penetration tests and the liability has to be addressed and agreed upon by both sides. Seeking a lawyer with technical background dealing in penetration tests will be the best choice. The laws passed that mandate compliance for publically traded companies is stricter and further reaching. The requirements that are to be tested need to match legal requirements. During the test, there must be communication between the pen test team and the client to ensure that no permanent damage occurs from testing. The client will have to draw a line as to what is permissible and what is not. This paper strongly agrees that communication during a penetration test at a site is paramount in order to stay on plan and provide results without impacting the client or damaging assets. While the penetration test in this project was simulated in a lab from the client, the infrastructure was an exact copy. Good communication helps the pen testers as well as the client requesting the test. A sample communication plan will be inserted for completeness of the project. Detailed Requirements The company will use the sheet provided in the appendix to track assets and processes associated with each device. Next, they will have to evaluate the severity of each process and what is the outcome should that service and eventually the device not be available. The pen test team will take this information under review but also provide their assessment after the test. The evaluation will be included in the final report. All legal arrangements must be made concurrently while both sides strive towards a plan and an agreement. This agreement will need to be reviewed by both sides attorneys. Page 11
12 Existing Gaps The current state of penetration testing relies on the penetration testers doing a perfect job of informing the client of requirements and testing against such requirements. The gap lies in the information presentation versus the information comprehension. As noted earlier this can be test types not fully understood. If the industry as a whole could close this gap, it would help the client in many ways. There needs to be a link to common terms that both sides understand. The client will also know that the test will only work if the information they provide for objectives is clear and not vague. The next thing that will change is the way the industry is viewed. There is a perception that security is an unneeded expense and that the high tech analysis is really a luxury. Companies will eventually get security services they need to get a snapshot of their security posture and action items to remedy any variance from the goal. In addition, the project will identify with security standard certification steps that a company can follow so that the expense and effort is going to count twice Project Design Scope This project is going to include the presentation of terminology correctly used in this field, guideline of how a penetration test should be planned, executed, and the dynamics of the process of doing a penetration test. The project should tell a clear message of how to proceed with a penetration test for the client and the professional organization providing the service. The documentation that will be provided will give the reader a better understanding of what it takes to have an effective penetration test. The statistical analysis, testing, and survey should clarify the inhibitors and enablers of effective penetration testing. What will the project include and exclude? Page 12
13 Assumptions The following are assumptions that have been seen or demonstrated in the industry. This includes contradicting views on terminology, insufficient definition of assets and targets, poor execution of penetration test, little or no legal counsel and agreements prior to commencing, and the best talent used incorrectly. Project Phases There are various types of phases over the course of a penetration test that needs to be executed the right way from the start. The phases of this project are going to encompass these but also include other phases. The phases are as follows; problem statement, preliminary research for solution, in-depth research, meeting and planning with client with signed written approval, perform assessment, and provide the report. This can be bulleted as follows, Phase 1 Problem Statement (reason for the research) Phase 2 Preliminary Research (supporting the problem) Phase 3 In-depth Research (survey of pen-testers) Phase 4 - Meeting and Planning Phase 5 - Assessment (actual penetration test) Phase 6 - Reporting In phase one we have the project and its problem statement and what we are going to prove. Industry knowledge, recent articles, and education will present the problem and how it can be fixed by following the right process. When phase two starts, it will be confirmed by preliminary research from recent reports as to the effectiveness of penetration tests to date. Most will be industry knowledge and a few supporting reports and publications from penetration testing companies. The third phase is where the project gets real time information from Page 13
14 professionals in the field and incorporates this into the project with survey results. These results will confirm phase one and two and provide conditions to be advised that can help or inhibit the penetration test in phases four through six. Just like a going through a security audit, we must identify the assets that need to be tested and their owners. This is important because we have to know how they are used every day and what services are they really going to need testing. This where most companies make mistakes in giving the keys to the place to the pen testing group stating please test these devices but for what? The pen test team will want to review with the CIO as to what daily operations are like and what services are being used over the internal and external facing network. This interview will help the pen test team ask the right questions and steer the company down the right road for their testing requirements. In addition, it helps gauge what level of testing and time will be required and charge the right fee. Shortly after the meeting the company will be engaged in inventorying their assets that are in production and what services are on their as they are being used. The next step is phase four will be where the pen test team takes the information from the client and builds a test plan. This test plan is going to cover what the client wants to test for and how they are going to do the test. A good penetration test team will have a communication plan as when they are executing certain attacks and what the outcome should be. The IT Manager or Director should be the only person beside the executive officers that knows a test is in progress. This liaison to the company and the pen test team will alert the lead pen tester if there is anything adversely happening that inhibits daily operations if that is what is agreed. It may not be agreed upon to stop an attack and the agreement may be to let things break and test how well the company IT personnel respond. This will be submitted in person with the legal written contract Page 14
15 for the client to review. In the contract is the details about the impact of the test and the fact that the pen test team will not be prosecuted for conducting illegal activity inside or from outside the company. The contract needs to be signed by the CEO or CIO of the company for approval in writing to do a penetration test because of the potential damaging impact it can have on assets. Both sides legal resources must review the legal obligations prior to signing contract. There may be some tests that the client may not be so accommodating on and will not like it to take place. The agreement is going to be as comprehensive as the test plan. In fact, the test plan is what will be signed as the two sides go over every test. The fifth phase of this project is going to be the actual penetration test itself. When the company chooses the time, the pen test team will insert themselves in the ether and begin their assessment. If the pen test team gets the cooperation of the company to do a white box attack then it will go faster and less cost will be incurred. If the company has chosen to let the pen test do a black box test then the cost will be substantially higher. This phase of the project is where the dynamics are in play. The ethical hackers are in the ether and they are scanning and foot printing the entire architecture to make sure it matches any documentation provided. The hackers are working according to the test plan and will be executing vulnerability assessments and then exploiting what they have found. In Appendix C, there will be detail on the test plan as to what networks and machines are being targeted with what attack and what the result should be if exploited. The client may very well provide a list of items already scanned and identified as weak and would like to know what to expect if a service or device is taken down. The last phase is number six and this will be the reporting portion of the project. What will be proven here is whether the penetration testing team listened to the client and executed. The report should contain the test plan objectives with a detailed explanation of how each test Page 15
16 resulted. Next, there should be some suggestions in the report that will help the client remediate any vulnerability exploited from the test. Timelines Each step in the process must be completed in relative short and agreed upon time. The nature of the testing and the urgency of reporting are vital to both the client and the pen test team. Phase one has already begun and will take about 14 days to complete. Phase two was kicked off about a week after phase one in order to provide facts in the argument to be proven by the candidate. After about a week of statistical research phase three was started. Phase three will be the longest as it is very difficult to get people to participate However, these are real life statistics that come from the field. The candidate will have to perform a theoretical test based on a local client to apply this theory about an effective penetration test. The interview and review of documentation will provide a sampling of data that will be measured against effectiveness of testing best practices. Dependencies Phases four through six cannot be completed until phase three is done. Notably, steps four through six cannot be completed until a client is secured even if a theoretical test, it will be based on a real client network. The interview with the client must occur before the scheduled phase five in order to complete the project. Once the requirements are outlined and understood the rest of the project will proceed as scheduled. Resource Requirements The hardware requirements will be for the test to take place on a network with routers, switches, and servers. The labor required for this will be at least one and no maximum but two or three will expedite the testing far more quickly than one. This agreement will require an Page 16
17 additional resource as an attorney that reviews the legal document that authorizes and binds the two parties to operate professionally with the client s interest as a focal point. The company providing the service will provide names of the team members that will be coming onsite or offsite to perform the test. They will have to comply with company policy that the participants all have to be US citizens and have a clean criminal record or one that has been made right provided by documented testimony of character and a signature of said individual recommending them for this service. Pen-test team will be utilizing communication so that the testing remains on schedule and adheres to the test plan. Risk Factors There is a possibility that outside forces can affect the testing. If the day of the penetration test becomes known to more than just the Operations Manager or President it can have adverse effects as administrators and asset owners will be hardening their devices or maybe even shutting them off or acting out of the normal sequence to throw the test. This type of testing is very imposing and intrusive not just because of the type of test but also because of what it means. The test is a measure of a company s applied security practice. People can influence the test just as if people can influence an experiment by tampering with the subject matter or communicating what is happening so responses may not be authentic. This will taint the test. Some conditions can exist that intrude upon the test making it difficult to execute. The penetration tester can have an off day or fail to push a test as far as they can. Time constraints and other operational issues may inhibit a test from moving according to plan. Important Milestones One of the most significant milestones this project can have is the meeting with the client. This is by far one of the most rewarding experiences where the penetration testing team can help Page 17
18 a client determine their level of security on their infrastructure. Educating the client as to the terminology and risks facing their company will prepare them for the test and the real world. Moreover, removing any barriers and resistance to investing in security will be done at this point demonstrating a return on investment. The second milestone that is the most anticipated is the actual test. The test will have a scheduled to adhere to but it does not mean that the testers will not have the option to perform certain exploits outside of the script. You can only speculate what you will be doing at the planning stage of the test and then the rest will be figured out when on site. Environmental changes occur that may go unplanned and the team may have to come up with another entry into the system or possibly even stop an attack if it exceeds the threshold mutually agreed upon by the client and the testers. The last milestone will be the report. When all the testing activity has subsided and the network is at a normal state then a report will be made. Here is where a learning opportunity presents itself to the client. The results will show where they are weak and a remediation plan will exist to show how they can counter their vulnerabilities. Deliverables The list of deliverables will be a well-designed approach to the project, a meeting and signing of the contract agreement and test plan, a list of considerations for the legal implications, action plan (pen tester s schedule), communication plan, test results and countermeasures report. Most of what will be provided is working documents and results. The tools required to achieve this will be using Backtrack5 RC3, Nessus, Armitage, Nmap, and Microsoft Baseline Security Analyzer (MBSA). The way in which they are used will be in the report. Page 18
19 Methodology The methodology implemented in this project is a theme based on fundamentals of reading, understanding, and executing. When the penetration testers engage the client, they want to educate the client and understand the terminology. Once this is accomplished, the dialogue that takes place will be natural as the exchange of questions and answers helps move the client along to getting their test objectives correctly set. When the client moves throughout each phase in this project the penetration testers will manage the client to ensure that after they understand what needs to be done that they will begin providing the documentation of assets for a speedy and thorough test. This is another checkpoint of the fundamentals to review who we are, why we are here, and what exactly is going to be tested. The methodology of planning, doing, checking, and acting is a common theme among security standards. This is fundamental to validating the details to make sure assets and supporting processes are really going to have an impact. Pivot Point Security brings up the fact that a well scoped penetration test requires a lot of effort and more so for a full security audit (Pivot Point Security, 2012). So the first phase will be addressed by planning and the communication required achieving the next phase. The second phase is the research and here we relied on industry knowledge and awareness along with some sources. This is where we are looking at the problem at a high level. The issue of being effective exists here and we now have to look at what we are going to do about it. Additional sources have been provided to show just how stark reality is when nothing is done about security. Phase one and two are closely related but phase three is where the methodology changes from traditional research to real time investigative queries. The response time to the survey that will shed some real time light on the issue is slow going. Page 19
20 Phase four really takes on new dimension to the project as research and planning becomes applied directly in the project. A real life penetration test will begin and the client is going to benefit from it. The dynamics here of business, technology, and economics are come into play as client reaches for security and penetration tester extends to deliver a business solution. The resulting economic exchange benefits both parties, as the payment is an investment in the longevity of the company. As we progress in the phases, the real time interaction goes up and the amount of research decreases. In the last phase, the reporting does go back into a research mode as the penetration team provides reasons for the holes and the best countermeasure to circumvent them. The strategy being used here is the fundamental approach to an effective penetration testing initiative. The other methods cannot produce results because those methods miss the mark. They miss the targets for educating the client, providing the objectives and test plan rationale. The uses from going through this process like the legal framework, and documentation created can be applied to ISO 27001/2 certification and accreditation, FISMA, and HIPAA compliance. Approach Explanation The approach to solving the problem is to carefully identify the problem and understand why it is not working. The past has shown that the performance of combined 20% failure is not exemplary. In order to identify what is going on you have to slow down and identify the pieces that interact to bring the results you are looking for. The way this project is scheduled is to do just that. Theoretically, one could just run through the activities and try to do a better job than the first time through the penetration test. That approach is doomed to fail since there is no change in activity except a more careful second approach at the same environment. The issues Page 20
21 are still present and no one has learned the difference or importance of taking the time to identify underlying issues. Questions are raised if it was process, documentation, communication, or even the testing skill set. Repeating something repeatedly and expecting different results is akin to insanity. Changing the approaches in other phases can significantly change the outcome of the project. At any phase if no time is given to provide the details of devices and services to test, test plan and agreement, or the actual assessment can lead to missed targets. The assessment phase could rely on automation and not get the right results. The assessment phase could concentrate too much on manual testing and miss the delivery date. The focus can change during the assessment based on real time results, tunnel vision of testers, and client intervention. Therefore, it is vitally important that the test plan is followed, and communicated to the penetration test team in real time. This depends on the size of client and scope of test. Any changes that do occur have to be evaluated by the lead on the project based on knowledge and experience. If changes in approach for phase six where the report is delivered there can be some negative effects. If the delivery of the report is emailed, there is a chance that it is intercepted. If the report provides little to no remediation tips and countermeasures than the reason for the test is lost. How the report is generated can also be a factor in its effectiveness. If only automation is used and reported than, that is failure. If some automation is used and some manual testing is used but not included in the report than that is failure. There needs to be a time of learning in order to promote security. Defining how the attack was done is the reason for the hired service. Approach Defense It is evident by the preceding paragraphs to ensure that the approach is well thought out and followed to be effective. This project has outlined the timeline and steps required to be Page 21
22 effective. The approach that is represented by this project is very scalable depending on the availability of resources. In each phase, there is documentation of the meetings, and objectives to get the security posture defined at the end of the project. Each phase requires that both sides understanding their objectives and the mutually agreed upon goal. As each phase comes and goes there is going to be a check and balance as the next phase is not possible until the first phase is done. This check will be a call or email between the provider and the client as to when to proceed to the next step. This is especially true for phases four through six. Phases one through three can be done out of order but the results of each naturally empowers the next phase to begin. The justification to approaching the project in this manner is to educate client and penetration tester of best practices in penetration testing. A post process benefit of this project is that the company, private or public, can stand to gain a significant advantage in reaching a security certification and accreditation by continuing their security audit in an elected framework. Each phase from four to six will allow the client to benefit from the project. Assets and processes associated with the assets are going to be defined for risk and impact. It would be wise for the company to quantify the assets and associated risk if something were to happen. This work should be done after the first meeting with an agreement to pursue. This technical and business assessment does align the technical process with business objectives, which falls under corporate governance. Project Development Hardware The hardware that is used for the test will be the penetration tester s laptop and server for virtualized environment. The hardware used at the test site will be subject to the items listed in Appendix A for servers and network devices as executed in the test plan as time permits. Page 22
23 Software There will not be any software developed for this testing. There may be some customized scripts but no developing of software for testing at the client location. The penetration testing software that will be used is, Backtrack with several software pieces contained therein. These particular pieces will be mentioned in the test plan and here are a few. Ettercap, Metasploit, Nessus, and Nmap. Tech Stack The layers of service that will be tested against are the OSI model, as well as some applications again per the test plan in the Appendix C. Most of the testing will be targeting layers two through four and occasionally layer five. Architecture Details The client will provide the following information when architecture is known for a white box test it will be referenced here but details are in Appendix A. The network consists of a flat network with one (1) server and ten (10) workstations. The penetration test only used one (1) workstation and one (1) server. There are VoIP phones but were not tested due to time constraints. Resources Used The resource required to do the test will require just one penetration tester and their laptop due to the size of client and project timeline. The client s hardware will be the test subject and listed in Appendix A. No other resources required. Final Output The output of this testing is to provide the client with a security posture assessment so that future action can be taken to remediate the vulnerabilities. The tangible results will be the Page 23
24 report that follows the test plan. This test plan covers the objectives that need to be tested per client request. The results will include the objective; exploit used, report, and steps to remediate the vulnerability. The intangible will be the knowledge the client gains from having the test performed as well as a roadmap to better security. In addition, the client will have the ability to start the task of being compliant within an industry security certification. This can be either ISO 27001/2 for private companies or FISMA compliance by following NIST SP800-53v3 publication for the public sector. The initial meeting with the client defined to the client just how susceptible the equipment and applications are on site. Once the client realized the potential for loss, they were convinced the penetration service was needed. The subsequent meeting that took place was an interview that detailed the business process flow from the beginning of profit making activities. These activities are seen in Appendix B Critical Services and Appendix D Audited Processes. The inventory was also taken and recorded noting that an outsourced IT company was taking care of the run and maintain aspects. After the meeting, the penetration testing team went back to the office to outline a test plan and a contract agreement noted in Appendix G. The client did not have a technical lawyer to understand the effects the test would have but was knowledgeable enough to know the impact if business processes were damaged beyond resumption. Most important to know is that the data and services required to the business stay function even after the test. Notably, any client information or financial data of the client s customers must also remain with integrity and confidential. The laws requiring that client information remain private are extensive. None of the more popular federal laws applies to this private client; however, the law is the same. The penetration team then submitted the test plan and the contract agreement to the client for written permission to test their network. Page 24
25 Quality Assurance Quality Assurance Approach The quality management approach to this test is to communicate and plan and then check often at each phase if the project is staying on course with its design. If at any step the communication and understanding of what needs to be done or explained starts moving off target, than the lead penetration tester will assert themselves to regain control and proceed as planned. The accountability between the two parties will remain in effect as part of the deliverables from the test plan. Both parties will sign the test plan after being reviewed by legal counsel. The terms and conditions will be set to protect each other while driving the process forward. Solution Testing A solution that has been chosen for this project has been explicitly described in ISO 270001/2 in which assets, processes, and associated impacts must be defined. This practice has been emulated here in the penetration test process and provides a methodology for the client to move forward. The methodology is a plan, do, check, act process explained in the ISO 27001/2 standard as well as the Risk Management Framework but with different steps.. Most ineffective penetration testing is a result of poor planning and communication of the needs of the client and the solutions from the penetration testing team. There is research supporting that security testing does not always goes as purchased. Meaning that what you bought is not what you are getting. Some of that research has been provided herein. The way in which this solution is to be tested is by a real penetration test and documented here. Page 25
26 Implementation Plan Strategy for the Implementation The strategy for this project is to plan, do, check act in the simplest form. What we have seen for other strategies is to throw resources at it and have some manufactured report that really does not explain why exploits occur and how they affect the client s business processes. The following description in phases of rollout describes in detail how the project is to run. Is the test just for insecure configurations and port usage or patch level? Is the testing going to be conducted in isolation or as the devices are used together with other technology that provides a service? Will application source code be accessible to review for vulnerabilities? Can scripts be made to validate it? Questions like these need to be asked in order to get the scope of the test defined. Therefore, the asset owners are to make a list of devices that provide service that if not protected could disable the company from making a profit. This will be the in preparation of the execution phase. Phases of the Rollout The sequence that will be used in rolling out this test will be done in the following manner. First, there has to be a meeting between the penetration test group and the potential client. It is here that the client will understand the explanation of terms and services and those they will accept in an agreement. In between the presentation of services and the signing of the agreement, the company needs to seek legal counsel. The company needs to do is get legal advice from an attorney that has knowledge of technological testing where intellectual property, assets, and risks operate in the same arena. The lawyer has to be knowledgeable about USC 18 Section 1029 & 1030, PCI, Sarbanes Oxley, as well as other laws about privacy and disclosure. Page 26
27 The company will coordinate with the lawyer to make sure that the vendor they choose to go with operates under an agreement. The next step is to make sure that the client has instructions to prepare documentation for what is to be tested. In order to conduct a penetration test correctly the client will have to define their assets and organize them. Know what is in possession and know what needs to be tested. This could mean assigning ownership of the asset analyzed. There are a few tools to help with the risk assessment. The client is to pick a tool or two that measures risks on software like operating systems and one that does networks. One tool is referenced in Appendix B. This needs to be completed in preparation of the penetration team to do their testing. It is entirely up to the client before any testing of the infrastructure to put in place a communication tree between the CIO and the outsourced vendor. This way if something does affect production network someone can stop it or inform the staff that this is expected today. The next thing the client needs to do is calculate the risk. Most often, it is the quantitative assessment then qualitative. However, here are the two assessments presented by the two formulas; Calculate Risk = Vulnerability X Attacks X Threat X Exposure (Snedaker, 2007). This will definitely get a dollar amount but there is some subjective evaluation of the attack and exposure. Again, this qualitative weight in the quantitative formula is like a hybrid. Unless the client is benchmarking from proven studies to extrapolate your numbers, there will be some subjective input. The latter formula could be qualitative, as the reference to the frequency will be subjective in the first year run. The next subsequent years can more easily define risk as quantitative. A historic record will assist you in the following years. Finally, when the penetration team arrives on site or at a location for the coordinated effort, the first thing will be for the leader to go over the test plan. Each penetration tester has Page 27
28 their own skill level and strength and will be charged with the activity that is their strong suit. This will complete phase one of the assessment. Phase five of the project the penetration testers will be actively engaging their targets while keeping the lead informed of success or failures or peculiar findings along the way. These real time results will be recorded and resources may be allocated to different focuses as time and test warrants. Phase six will end the agreement with test result and countermeasures will be supplied in a hand delivered report. This helps ensure that no information gets out about the client s test results. Details of the Go-Live The project will be fully implemented when the penetration test is completed and results delivered. If a company cannot be found for a real test, one will be used for a theoretical penetration test. Dependencies Dependencies are the items that must be completed before proceeding to the next phase. This project outlines at least three phases that should be completed before the penetration test begins in phase four. The documentation is very important and must be completed or the entire results of the project are in jeopardy. The documentation created and the processes driving this project will help make the penetration test more effective. Deliverables The deliverables are going to be both tangible and intangible because of the technology used. The first realization of achievement will be the report following the penetration test. First, as in, the first derived from the process exclusively for the sake of gain. There is no higher achievement. Notably, the process itself will yield both tangible and intangible deliverables in Page 28
29 the form of the process to list and quantify assets and their associated risks as intangible foundation for other security standards. Also the tangible asset sheet and numerical value assessed in determining the risks. These three deliverables are the essential part of this project. In terms of creating the effective penetration test, that deliverable the client and the penetration team benefit from. Both parties can walk away knowing that they had set out and done exactly what they were going to do. Training Plan for Users This project does not provide any training however in order to achieve success the terminology that will be taught to the client will be considered training. Risk Assessment Quantitative and Qualitative Risks Costs are the number one driving factor around security if you look at it from the results. Costs will be incurred if no security measures are taken. In addition, costs are required to assure a certain level of security. Finally, costs are the numerical value that is debated between departments when determining where to spend money. Now with this mindset the quantitative and qualitative risks are going to be defined. Qualitative risks associated with security have been referenced in the preceding paragraph and it sets the scene for the discussion here and in the next paragraph for quantitative risks. How well do you know your network infrastructure? This question is to be the subject of the project and evaluated in terms that are relative to risk of missing business opportunities. The risk associated with not defending the network perimeter can be devastating. First, the client may not have confidential and available resources anymore. The downstream network devices may not be able to provide services as they used to if software is being hacked or some malware Page 29
30 has inserted itself onto the network. There is a numerical value associated with this but for this case we are looking at the inability for the client to remain productive and generating profit for the shareholders or stakeholders in the wellness of the organization. What are the items at stake. They are jobs, income, reputation, and liability to name a few. This impact on operations from not having a penetration test evidenced by the likelihood, frequency, of an event is to take place. This can be matched up to costs and become quantitative later. Most times this is represented in a chart with X and Y axis filled with frequency (X), impact (Y), and events is the row on top along X axis. The project is to safeguard against the possibility that the event will take place. Now quantitatively speaking the cost can be found by applying cost to certain events or assets and their frequency. This part of the project may or may not be completed by the client but should in order to progress down the road to a security standard certification. The first cost to review is the reputation. This cost is priceless and should be protected at any cost required. When you have lost, your reputation from a breach there is no recovery depending on type of breach and trade. There may be other costs of not doing the penetration test for a hosted web application tied to an internal database. Here, if a hacker could make a way in through SQL injection or stack overflow there might be some information or access given to help the hacker get in. Quantitatively the cost of a down website is proportionate to the amount of sales generated on any given day if nothing further is done from the event. Cost/Benefit Analysis Below are a few cost benefit analysis if certain criteria exists without action. If no penetration test occurs, then the cost of an intrusion and leaked data can be exceedingly high. A lost laptop has been reported to cost $89,000.00 imagine what would happen in a break in that could total millions of dollars. As reported from Symantec that every Page 30
31 corporate breach cost 5.5 million (Symantec, 2011). Most of these breaches are Trojans worms and virus and not that what the public thinks of intrusion by network by hackers at the front door. Most networks have real good firewalls and so intrusion through firewalls is not possible. If the penetration test proceeds without proper tracking and yield results not requested or incorrect than the cost can be high including the cost of the penetration test. Some exploits are going to get past the penetration testers and the company looking for a real good assessment. No penetration test can find everything given the amount of time but it does give a snapshot in time of how the security posture stands in a few key areas. There will be no cost overrun as this activity is budgeted and if effective should provide a return on investment. Notably, the client chosen for this is in a petroleum refining industry and when the Symantec sponsored risk calculator was used to ensure the client s risk, the results were fitting. According to the risk calculator, this client stood to lose $98,000.00 approximately for each data breach event. Considering the client is not very large or has a large attack surface this result is suiting as shown in Appendix I. Risk Mitigation The process of identifying risk is important in order to protect the business from adverse effects on a device, business process, or objective. Risk is defined by the opportunity that exists for something to go wrong based on design, configuration, or use. Risk is the overall scope of devices, processes, threats, and the frequency or likelihood that a negative event will occur. The risks that the client identifies will be the ones tested. Effectively mitigating these risks must begin with identification and then be solved. The best way to mitigate the risk is to find the Page 31
32 vulnerability and patch and prepare a plan around it. Depending on the costs to avoid, defer, or prevent the risk will be the secondary driving force in the risk mitigation selection. The primary driver will be the business process benefit. If avoidance is chosen then some aspect of the business is omitted. This can be a loss of income in order to avoid some risk. The client would have to ask itself if removing a line of business is worth not facing the risk. If there is a business process that has such a high impact is not present then the associated high costs to mitigate the threat will be incurred. The risk associated with client s core business application and that a zero day or other vulnerability could occur is high than the action is preventative. Preventative action could be to have a custodian of that application be present to patch and monitor the application and data it produces. There could be a secondary server that is kept offline and patched ready to go. The secondary can contain relevant data in the event that the other is compromised or destroyed. This backup plan is a very good solution like a hot site for disaster recovery. The alternative to having a backup server ready to launch should the primary go down would be to have it outsourced to the cloud. The risk is still there but now you have transferred that risk to a cloud provider who will manage that for you. The cloud provider still faces the same risks that the client would have but at what cost is the cloud solutions for use and maintenance versus having the server in house is the question. Post Implementation Support and Issues Post Implementation Support When the penetration test is over and the results and remediation steps are presented, the only thing left to do is to periodically test the same systems. This is part of a continuous improvement plan and validation of countermeasures. All security standards repeat the same Page 32
33 steps in order to review essential and non-essential systems and security practices. This will be the post implementation support. The client can elect to have the same penetration test team review their assets as to not have to create new relationships with other groups. This consistency will help the client s security posture remain poised and ready to adapt to new systems and environments. The client will have an annual review of assets and processes and the following penetration test will record the effectiveness of the implemented countermeasures. When the second penetration test is completed, there will be a review of results and countermeasures from the first test with the second test. Time taken to review the results between tests will help the penetration test team gauge how the client s IT department is able to perform the necessary change. Any high-risk results will be brought before the executive office for review. Again, a report and countermeasures will be provided to the client. The forms required will be the same as listed in the appendix as well as the report. This annual review by penetration test will start to present a theme for security either good or bad. There are no other forms required externally but internally there may be guidelines and procedures created as a product of the first test. Post Implementation Support Resources Providing for the future security of the client is going to be a concern for security and revenue generation for the pen testing company. Most importantly is that the client receives some support going forward. This effort will be first evidenced in the report that follows the test. The countermeasures and best practices to safeguard and mitigate risks will outline some maintenance type activities. The following guideline describes what should be done, when, and by whom. Page 33
34 Maintenance Plan The short duration after the penetration test will be the most active as the client receives instructions from the pen testers to harden network devices, servers, and endpoint devices. This lockdown session will be executed according to the results from the penetration test first and then by industry best practices. The patching of the core business application will lead the changes followed by the hardening of network and end point devices. This will conclude the short-term plan. The long-term plan will have the following built into a series of rollouts as budget and time permits. The department will have security-hardened workstations where only necessary services will be running to do the job. The workstations will have integrity checks performed every hour on the MD5 hash values on files that are used by processes. If a process is initiated by something other than the system account or from non-sanctioned programs, an alert will go out. The process will be stopped, and blocked from making changes to the system. This will be an example of TCSEC (Trusted Computer System Evaluation Criteria) for verified protection. All networks will be designed securely with IDS, IPS systems in an enterprise style monitoring, and control system. Packets will be captured and analyzed by deep packet and application layer inspection. This intense scanning allows for the recording of network traffic for forensic analysis. Users email will be filtered based on rules stating that email will only receive content from known users and be subject to inspection and analysis of content. Here the email is read and executed on VMware hosted systems that act as end users. These test VMware machines open email like normal users and records what files and processes are initialized and modified. When the results show no detrimental impact on the system the email is the sent to the end user and IT department. If there are adverse effects made to the VMware system then the system Page 34
35 records the email, processes, files, and changed state of the computer. This will allow for a lower cost of maintaining the systems over time as these threats will be mitigated in VMware. In addition, the Security department will learn what tools and methods used to exploit users and systems for information. Users requiring access to files on the network will have a second machine not attached to the internet where they will access this information. Keeping the two systems separate adds a physical layer of protection where the more sensitive information has no means of going outside. This will address any further vulnerability found in the core business application. Not only will these machines not have internet access but also they will not have USB ports, CD/DVD-RW drives, or any other means to install or remove data. Thin clients will be used with Citrix XenApp and XenDesktop to deploy virtual desktops. These virtual desktops are maintained locally on a server with security hardened processes are used to verify integrity before use each day. Conclusion, Outcomes, and Reflection Project Summary This project started out with the realization that not all penetration tests are done correctly. Many tools and easy to frameworks exists to help aid in testing but should not be relied on to lead the test. Certain criteria that the client requests to be validated often go unmet and therefore incorrect results are circulated. The project set out to determine the how to achieve an effective penetration test. What was presented were statistics showing that many are run incorrectly with poor communication and design of the test plan. The field survey showed a real time efficiency grade done by companies that perform these tests. It all indicates that more is needed to improve the service while educating the client. Next, the project covered the phases of Page 35
36 what was to be done in phases and the details. The product of the design and testing was an effective penetration test providing that the core application and server are resilient to most common attacks. Deliverables The deliverable that the project is primarily responsible for is the results from the penetration test and countermeasures. All other documentation created is to facilitate the process will benefit the client. There may be diagrams submitted within the report to expand upon a result but most will be text output. Outcomes The resultant effects of this project of been highly esteemed by industry professionals and the client receiving the service. Penetration testing is certainly a very intense and timeconsuming process when there is a commitment to the act. The energy, intellect, and business relationships that have been developed over the course of the project has heightened the sense for the need of security. What was anticipated in the process was delivered on all counts except for the actual test. A theoretical based on a real company was conducted in place. The results of the DoS and DDoS attacks were not expected. It did inform the candidate that not all goes as planned on either side of the test. The client was very happy to receive the results of the penetration test showing how resilient their application stood against several attacks. The manufacturer of the core business application was very happy to hear also that the results were good and that their product is resilient. The candidate expresses satisfaction in the effort-expensed builds towards their profession and that the experience will help sharpen their skills for the next opportunity. Page 36
37 Reflection The candidate has learned a great deal about the process of knowing how to legally break into and stop service in order to provide a security assessment for a client. The steps taken in the project were required in order to be effective and after each phase checking and planning the next. The time take to meet with a client and provide a real understanding just how attackers work to take down businesses was rewarding. The client really appreciates the time taken to empower and defend their business against today s malicious technological minds. Page 37
38 References Pivot Point Security. (2012). Stop Wasting Your Money on Penetration Testing. Retrieved from http://pivotpointsecurity.com/downloads/18 McKerchar, R. (2012). Practical IT: how to manage cost-effective penetration testing. Retrieved from http://nakedsecurity.sophos.com/2012/05/09/practical-it-how-to-manage-costeffective-penetration-testing/ Imperva. (2012). Hacker Intelligence Initiative, Monthly Trend Report#13. Retrieved from http://www.imperva.com/docs/hii_monitoring_hacker_forums_2012.pdf Verizon. (2012). 2012 Data breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report- 2012_en_xg.pdf Netragard. (2012). How to Choose the Right Vendor. Retrieved from http://www.netragard.com/how-to-avoid-failure-with-your-next-penetration- testvulnerability-assessment?utm_expid=26785886-2&utm_referrer=http%3a%2f%2fwww.netragard.com%2f Snedaker. (2007). The Best Damn IT Security Management Book Period. Retrieved from http://mmlviewer.books24x7.com/book/id_25442/viewer.asp?bookid=25442&chunkid=7 61233067 Symantec. (2012). 2011 Annual Study - U.S. Cost of a Data BreachRetrieved from http://www.slideshare.net/symantec/2011-annual-study-us-cost-of-a-data-breach-march- 2012 Page 38
39 Appendix A: Network Devices Electronic Equipment Owner(s) Quantity Tested 3com 5500 24p Switch Out Sourced IT 1 No Dell R710 Windows Out Sourced IT 1 Yes 2008 R2 Dell Workstations Out Sourced IT 10 Yes Cisco Phone Out Sourced IT 10 No Printers Out Sourced IT 1 No Page 39
40 Appendix B: Critical Services Company Services associated with devices that are critical for daily operation are mapped and listed below. Name of Service Severity Associated Device(s) Up/Down Stream Process Process Owner Project Bidding Medium Windows Server 2008 R2/Workstations/ LAN/Phones Project Entry High Windows Server 2008 R2/Workstations/ LAN Ticket Info Entered High Windows Server 2008 R2/Workstations/ LAN Ticket Batch Upload Invoices Printed and Sent A/R Enter payments High Low Medium Windows Server 2008 R2/Workstations/ LAN Windows Server 2008 R2/Workstations/ LAN/Printer Windows Server 2008 R2/Workstations/ LAN/Phone A/P Enter payments High Windows Server 2008 R2/Workstations/ LAN/Phone Payments post to all accounts and balances Prints checks and sends them Payments post to all accounts and balances Windows IIS Service Medium Low Medium Low Windows Server 2008 R2/Workstations/ LAN Windows Server 2008 R2/Workstations/ LAN/Printer Windows Server 2008 R2/Workstations/ LAN Windows Server 2008 R2/Workstations/ LAN Projects entered into Streetsmarts Projects entered into Streetsmarts/Streetsmarts auto calculation Streetsmarts auto calculation/ticket Batch Upload Streetsmarts auto calculation/costs accounted in Streetsmarts invoice goes out Receives all payments/enter payments Payments post to all accounts/issue payments to vendors Prints checks and sends them/ Payments post to all accounts and balances Issues payments to vendors and employees/enters payments Enters payments/ Prints checks and sends them Prints checks and sends them Streetsmarts/Time Tracker Operations Manager Operations Manager Scale Clerk Scale Clerk Accounts Receivable Accounts Receivable Accounts Payable Accounts Payable Accounts Payable Accounts Payable Outsourced IT Page 40
41 Appendix C: Penetration Test Plan This is the penetration test plan that was designed after receiving the list of critical devices and associated services. This test plan will be followed and not deviated from in the initial test. The client can express further testing be needed per test result for further analysis in writing at any time after the initial test. The following is a list of items for the test plan. 1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services 2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities 3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack 4. Test Core Business Application a. Test core business application against i. Clear text traffic capturing ii. Man in the middle iii. Spoofing iv. Armitage w/meterpreter Page 41
42 Appendix C: Penetration Test Action Plan (Con t) Page 42
43 Appendix D: Audited IT Processes This section contains information about the processes that run along with IT assets in the penetration test. Page 43
44 Appendix D: Audited IT Processes (Con t) This section contains information about the processes that run along with IT assets in the penetration test. Appendix E: Qualitative Risk Matrix Appendix F: List of Legal Concerns Event 1 Event 2 Event 3 Medium High Critical Low Medium High Low Low Medium 1. Customer data privacy 2. Transaction integrity (Non PCI Transactions) 3. Theft of client data 4. Corporate Espionage 5. Employee Data privacy 6. Tax and Accounting Record Keeping Since this company is not publically traded the following information should be considered when reviewing risk and requirements for testing as time permits. Page 44
45 Appendix G: Sample Contract PENETRATION TESTING CONTRACT This contract is between Pen-test team(hereinafter referred to as the provider ) and target client (hereinafter referred to as the client ) for the supply of Penetration Testing services by the provider for the client. Whereas the provider provides certain computer and systems security consulting and testing services including Penetration Testing services, and Whereas the client wishes to retain the provider to provide computer and systems security services, specifically Penetration Testing services, therefore The client does hereby retain the provider for the purpose of providing Penetration Testing services on the client s computers and network infrastructure. The objective of the Penetration Testing service is to identify and report on security posture including any vulnerability to allow the client to close the issues in a planned manner outlined by provider, thus significantly raising the level of their security protection. The client understands that computer security is a continually growing and evolving environment and that testing by Pen-test team does not mean that the client s site is secure from every form of attack. There is no such thing as 100% effective testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing. Further security breaches can and frequently occur from internal sources whose access is not a function of system configuration and/or external access security issues. The client has provided the provider with certain required information regarding the scope and range of the tests from the inventory audit and business process assessment and the client hereby warrants that all information provided is true and accurate and that the client owns or is authorized to represent the owners of the computers and systems described. The client further warrants and represents that they are authorized to enter into binding legal agreements. The provider has provided a written quote for the services contracted in the amount of $1,600.00. The client, prior to any services being performed by the provider, shall make half of payment for contracted services one week prior to start date. A copy of the written quote is attached to this contract as Schedule A. The provider will complete the penetration test on the agreed upon start date of 15-Jan-2013 and finish date 18-Jan-2013. Upon furnishing the written report and remediation effort required to harden the client s systems, all remaining payments or balance shall be paid in full. Any payment that exceeds 30 days past report delivery date shall accrue interest of five (5%) percent compounded each business day. The provider shall be under no liability whatever to the buyer for any indirect loss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client. There will be a communication plan between the pen test team and the operation manager of the client. At each point in the test there will be notification of that test beginning to the operations manager only. If there are, any adverse effects of the test the Operations Manager will notify the lead pen tester. The test will stop and results noted. Page 45
46 Both parties shall maintain this contract as confidential. No information about this contract, contract terms, or contract fees shall be released by either party. Information about the client s business or Appendix G: Sample Contract (Con t) computer systems or security situation that the provider obtains during the course of its work will not be released to any third party without prior written approval. The provider and the client have imparted and may from time to time impart to each other certain confidential information relating to each other s business including specific documentation. Each party agrees that it shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise. Where disclosure to a third party by either party is essential such party with the agreement of the other party will prior to any such disclosure obtain from any such third party duly binding agreements to maintain in confidence the information to be disclosed to the same extent at least as the parties are bound. This contract is subject to the laws of the State of Connecticut, USA. All disputes arising out of this contract shall be subject to the exclusive jurisdiction of the State of Connecticut, USA. Neither party shall be liable for any default due to any act of God, war, strike, lockout, industrial action, fire, flood, drought, storm or other event beyond the reasonable control of either party. Schedule A The following is an estimate for the test plan. It will take one work day or eight (8) hours tom complete the following work Time 08:00-08:30 Target Devices and Services Have all identified targets of evaluation documented Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application Armitage and meterpreter used for testing but not successful. 13:00-14:30 Man in the middle: Page 46
47 Appendix H: Sample Contract (Con t) Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures Appendix I: Data Breach Calculator Report Page 47
48 Appendix J: Penetration Results and Countermeasures Report and Countermeasures Executive Summary The following is a report of the tests taken to gain a foothold, capture data, and/or deny access to the client s business processes. There will be a review of tests run and what the outcomes resulted. If there are any countermeasures to take to thwart such activities, they will be presented. The following report is for Client X who requested that their network be tested for exploits and deficiencies that could hold them liable for data leakage or suffer loss of service. The tests conducted were very focused and concentrated on a workstation and the server. Test Objectives 1. Target Devices and Services a. Have all identified targets of evaluation documented b. Obtain and review prioritized list of services 2. Scan Operating Systems a. Use Microsoft Baseline Security Analyzer b. Use Nmap to discover devices banner grabbing c. Use Nessus to discover vulnerabilities 3. Test Network Devices a. Use Nmap to discover devices and ports b. Discover services c. DoS/DDoS Attack 4. Test Core Business Application a. Test core business application against i. Clear text traffic capturing ii. Man in the middle iii. Spoofing iv. Armitage w/meterpreter Port Scanning Results and Issues Scanning Windows machines The first test was scanning of services and ports on Microsoft devices. The test discovered the default Windows system ports open for unsigned SMB, telnet, and high ports. This included the port scanning by Nessus as well as the Microsoft Baseline Analyzer. The results from Nessus showed that there existed an unsigned SMB/Samba port (445) as well as using the open clear text port channel (23). Nessus found only (1) medium and (1) low alert for the server 10.10.10.5. Port (135) on the workstation was found open and that is used for remote procedure protocol. Port (139) was found open and used with SMB for file sharing with other devices beside Microsoft. Port (808) is the Streetsmarts Web based application running encrypted. Port (992) was found to be an SSL port with a certificate error. Additional ports were found open ranging from (49152-49157) and is due from a release from Microsoft Page 48
49 in January 2008 to start the open port range at that (49152). Some P2P (peer-to-peer) file sharing has been known to run over these ports. The possible attack could have occurred but was not conducted in test was escalation in privileges via SMB vulnerability and brute forcing usernames and passwords. The attacker also could have social engineered the information from an unsuspecting user. There is a probability this could have happened but the users answer to only one IT person and thus really negate the probability of that occurring. Countermeasures Using a host-based firewall either Microsoft s built-in or vendor, the client can block traffic in either direction form the host. In the penetration test it was recorded that with Zonealarm Free Antivirus and Firewall was able to deny our only exploit to gain control or information of the systems. Simply trusting only the gateway, and the server, the workstation would not have been easily compromised. It is possible to assume the identity of the gateway but locking down ports would have greatly reduced that threat. Below in appendix AA through AC are the scan results. DoS/DDoS Testing The application server MAXWELLSM Dos/DDoS Test Used Low Orbit Ion Cannon (LOIC) infamously known by use from the hacktivist group Anonymous to perform a denial of service against the server in order to deny application use to client machine. Later, another machine was used to point the low Ion cannon at the Windows 7 platform client machine. Test 1 - Target port 808 on application server with 10 thread and numerous TCP requests wait for response Attack started 13:20 12-Jan-2013 Results: After 5 minutes 10 threads and speed set to fastest. The server 2008 and windows 7 client were still able to communicate. Test 2 - Target port 808 on application server with 100 threads and numerous TCP requests wait for response. Attack started 13:32 13:46 12-Jan-2013 Results: 109,106,402 TCP requests and application is up. Windows error reporting service stopped and started at least twice. Test 3 - Target port 808 on application server with 1000 thread and numerous http requests do not wait for response. See if IIS crashes. Attack started 13:55 12-Jan-2013 Results: Despite LOIC requesting many pages many times and showing no failures, the application still launched. Test 4 - DDoS target port 80 1000 threads http. Two machines hitting the server started 14:05 14:15 ended. This included (3) LOICs, and one python script slowloris.py with 1000 new threads every ten (10) seconds. Results: Still launched application Countermeasures No countermeasure directly required but the use of a network access control (NAC) device could help other protocols. This device would help enforce the number of connections per host on the network. This would greatly improve the chances to allow other protocols on the network to communicate like VoIP and lower the chances of other denial of service attacks. Page 49
50 Application Server Testing Test 1: Used websploit Results: Nothing to report as the communication between the application and the server is encrypted from client side software. Test 2: Meterpreter used in with Armitage A connection made it impossible to glean any data or provide a way to leak data out; Meterpreter was used in this test knowing the administrator password the connection was possible. Even a regular user with password known would be able to both pass the hash dump and crack passwords later in order to attempt to escalate privileges. Time being the factor is how successful the cracker would be. Results: We were able to log keystrokes and take screen shots of the user s computer. This is one way that data could be captured. In this test, we show that key logging and screen captures are possible however, they are not very effective as shown below, Image 4. Countermeasures In the test, it was discovered that knowing the username or a username and or escalating privileges by brute forcing passwords helped make the reverse tcp shell possible. One of the ways we did stop this from happening again was to use Zone Alarms Free Antivirus and Firewall software. This is where a trusted gateway and server was setup and the rest of the same subnet was untrusted. This solution is an inexpensive way to harden the network. Image 1 Armitage Text Output of Key logging Image 2 Email Credentials Entered Page 50
51 Image 3 Screenshot before Launching Encrypted Application Image 4 - After Launching Encrypted Application Notice in the image below that the application icon is present big S in the tool bar and on the workstation it is in the foreground. However, the image reveals that it is not seen and therefore encrypted to the reverse tcp shell. Page 51
52 Sniffing and MITM Attacks Using Ettercap we copied traffic from the user and the gateway to our penetration testing laptop. We used Ettercap, urlsnarf, dnsiff, and Driftnet with these commands entered to see traffic. In ettercap we scanned the subnet and added a target 1 = gateway and target 2 = the victim machine. Here we were able to get a copy of everything being sent by the user to the laptop first before going to the real gateway. This is done with sslstrip, iptables, ettercap with MITM attack arp spoofing ettercap --mitm ARP:REMOTE --text --quiet --write /root/sslstrip/ettercap.log --iface eth0 Also the GUI was used to pick target client Windows 7 machine 10.10.10.7 and second target the application server 10.10.10.5. Execute the following commands In the CLI we entered: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward root@bt:# sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --toport 10000 Now verify it took the filter root@bt:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 10000 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination root@bt:# sudo python sslstrip.py -l 1000 -f lock.ico Results sslstrip: No data or text of any sort was visible as all data was being passed through and encrypted channel. Results with dsniff: We addresses were visible, but no usernames or passwords. These results show the application is very secure. Results with driftnet: There were no pictures or images of the site going across. There were web addresses being listed. Results with urlsnarf: root@bt:~# urlsnarf -n -i eth0 urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128] 10.10.10.7 - - [15/Jan/2013:23:10:12-0500] "GET http://www.google.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:10:13-0500] "GET Page 52
53 10.10.10.7 - - [15/Jan/2013:23:11:17-0500] "GET http://www.mwsystems.com/servlet/servlet.filedownload?file=01540000000nqrs HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17-0500] "GET http://www.mwsystems.com/servlet/servlet.filedownload?file=01540000000nr9z HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17-0500] "GET http://www.mwsystems.com/servlet/servlet.filedownload?file=01540000000nr9k HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17-0500] "GET http://www.mwsystems.com/servlet/servlet.filedownload?file=01540000000nr9a HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" 10.10.10.7 - - [15/Jan/2013:23:11:17-0500] "GET http://www.mwsystems.com/servlet/servlet.filedownload?file=01540000000nrod HTTP/1.1" - - "http://10.10.10.5/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" Executed commands: root@bt:/# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:/#cat /proc/sys/net/ipv4/ip_forward 1 In another terminal, we used Driftnet root@bt:/# driftnet -i eth0 root@bt:/# driftnet -i eth0 -v -s (in an attempt to gain audio being streamed) We could then see what the user was looking at for images. Results: Images from core business application were not being sent to our laptop despite driftnet running root@bt:~# driftnet -i eth0 -v driftnet: using temporary file directory /tmp/driftnet-amaowm driftnet: listening on eth0 in promiscuous mode driftnet: using filter expression `tcp' driftnet: started display child, pid 2562 driftnet: link-level header length is 14 bytes.driftnet: new connection: 10.10.10.7:49363 -> 23.45.9.75:80...driftnet: new connection: 10.10.10.7:49365 -> 23.45.9.75:80...driftnet: new connection: 10.10.10.7:49364 -> 23.45.9.75:80...driftnet: new connection: 10.10.10.7:49368 -> 23.45.9.75:80 Countermeasures No countermeasures needed to be taken to secure the core business application. However, countermeasures need to be made to eliminate the ability to see what web or secure web traffic users are trying to conduct. Again, a NAC device would help qualify not on the user but the device on the network. In addition, the device can emulate MITM attack against attacker and take all their traffic into a black hole. Trustwave NAC appliance is one of these devices that can do this mitigation. A less costly approach for smaller companies would be to use a VPN or SSH tunnel to a known good server. Some of these solutions are offered free on the web and some can be made. Page 53
54 Appendix AA: MBSA (Microsoft Baseline Security Analyzer) Scan Results The automated scanning results are attached but abbreviated for length. Microsoft Baseline Security Analyzer Results (MBSA) results have been included below. The workstation used in the test had even a lower score for vulnerabilities discovered. Page 54
55 Page 55
56 Appendix AB: Nmap Scan Results Scanning known hosts Nmap MAXWELLSM (Application server Open Ports) Scanning 10.10.10.5 [1000 ports] Discovered open port 80/tcp on 10.10.10.5 Discovered open port 23/tcp on 10.10.10.5 Discovered open port 445/tcp on 10.10.10.5 Discovered open port 139/tcp on 10.10.10.5 Discovered open port 49154/tcp on 10.10.10.5 Discovered open port 49156/tcp on 10.10.10.5 Discovered open port 49157/tcp on 10.10.10.5 Discovered open port 49155/tcp on 10.10.10.5 Discovered open port 135/tcp on 10.10.10.5 Discovered open port 808/tcp on 10.10.10.5 Discovered open port 49153/tcp on 10.10.10.5 Discovered open port 49152/tcp on 10.10.10.5 Discovered open port 992/tcp on 10.10.10.5 _ssl-cert: ERROR 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC ClientW7 (Open Ports) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) _http-methods: No Allow or Public header in OPTIONS response (status code 503) _http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC Appendix AC: Nessus Scan Results Application Server MAXWELLSM Page 56
57 Page 57
58 Page 58
59 Page 59
60 Appendix AD: Nessus Scan Results Network Appendix AE: Communication Plan The communication plan used during penetration test. This was a single pen tester performing the test so no other communication had to be coordinated with teammates. Time 08:00-08:30 Target Devices and Services Have all identified targets of evaluation documented Page 60
61 Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems Call to operations manager test to begin 1 hour in length. Use Microsoft Baseline Security Analyzer Use Nmap to discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Call to operations manager test to begin 1 hour in length. Use Nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application Armitage & Meterpreter used. 13:00-14:30 Man in the middle: Call to operations manager test to begin 1.5 hour in length. Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures Page 61