Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum
Agenda About penetration testing Examples Q & A 2
What is penetration testing? Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders. Related terms: Penetration testing Pentesting Ethical hacking Tiger Teaming Red Teaming (RO: teste de penetrare, teste de intruziune) Penetration testing is not Vulnerability assessment Penetration testing is: authorized adversary-based ethical (for defensive purposes) 3
Penetration testing by example Threats Vulnerabilities Assets Risks Vulnerable? Exploitable? External attacker - hacker - industrial espionage - organized crime Internal attacker - malicious employee - collaborator - consultant - visitor Insufficient input validation Insecure session configuration Application logic flaws Insecure server configuration Internet Banking application SQL injection OS command execution Authentication bypass Cross Site Scripting Directory browsing H H H M M Password autocomplete L 4
Motivation. Why? When? Verify the effectiveness of protection mechanisms implemented Application security mechanisms Server configurations Network configurations Employee security awareness Physical security Test the ability of system defenders to detect and respond to attacks Obtain a reliable basis for investments in security personnel and technology Required by ISO 27001, PCI DSS, etc As part of risk assessment for risk identification and quantification As part of ongoing/periodic security assessment Before a new system is put in production In the development phase of a new system 5
Penetration testing objectives and targets (examples) External penetration test: Test the security of internet banking / mobile banking apps Evaluate the security of internet facing applications Perform fraudulent transactions in online shops Access personal data in online medical applications Gain physical access to company building and install rogue access point Internal penetration test: Obtain access to database server containing customer information Gain control of Active Directory Obtain administrative access to ERP application Gain access to company assets (sensitive files, project plans, intellectual property) 6
Penetration testing types According to attacker s location: Test type External pentest Internal pentest Simulated threats Hackers, corporate espionage, terrorists, organized crime Malicious employee, collaborator, consultant, visitor According to attacker s initial information: Black box test Gray box test White box test Hackers, organized crime, terrorists, visitors Consultants, corporate espionage, business partner, regular employees Malicious system administrators, developers, consultants According to the attacks performed: - pure technical - social engineering - denial of service 7
How? Information gathering Create attack trees Prepare tools Perform collaborative attacks Identify vulnerabilities Exploit vulnerabilities Extract sensitive data Gain system access Escalate privileges Pivot to other systems Write the report 8
Automated vs. Manual Automated testing: Configure scanner Run scanner & wait for results (Validate findings where possible) Deliver report to client Manual testing: Use tools as helpers only Validate findings by exploitation (no false positives) Dig for sensitive data, escalate privileges, gain access to other systems Model and simulate real threats: simulate attacker s way of thinking, consider attacker s resources, knowledge, culture, motivation Several manual tests for exploitation of specific vulnerabilities Strict control, logging, quick feedback Interpret the findings according to business impact 9
Resources Dedicated machines Dedicated network Software tools: In-house developed Open source Commercial Dedicated workspace (IT Security Laboratory) Protect client data Logging facility 10
Limitations Timeframe Budget Resources Personnel awareness All software vulnerabilities Known Vulnerabilities Things change Does not discover all vulnerabilities but reduces the number of vulnerabilities that could be found by high skilled attackers having similar resources and knowledge 11
Reporting Executive summary Overview Key findings High-level observations Risk matrix Technical report Findings Risks Recommendations Present report to client 12
Standards, Certifications and Knowledge Security testing standards: OSSTMM - Open Source Security Testing Methodology Manual NIST 800-42 - The National Institute of Standards and Technology Special Publication OWASP - The Open Web Application Security Project Certifications: Knowledge: Offensive Security OSCE, OSCP, OSWP ISECOM OPST SANS GPEN, GWAPT EC-Council LPT, CEH CHECK Team Leader, Team Member CREST Registered Tester, Certified Tester System administration Network administration Software development Quality assurance / software testing 13
Examples (1): Outdated CMS allows unauthorized file upload 14
Examples (2): Arbitrary file download 15
Example (3): Gaining access to development servers 16
Example (4): Application logic flaw 17
Example (5): Social engineering 18
Example (6): Gaining root access 19
Thank you! Questions? Adrian Furtunǎ, Ph.D. afurtuna@kpmg.com