How To Test For Security On A Network Without Being Hacked



Similar documents
Protecting against cyber threats and security breaches

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Cyber Security Management

AUTOMATED PENETRATION TESTING PRODUCTS

What is Penetration Testing?

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

AUTOMATED PENETRATION TESTING PRODUCTS

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Application Security in the Software Development Lifecycle

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Information Security Services

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

PCI-DSS Penetration Testing

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Attack Intelligence: Why It Matters

Are You Ready for PCI 3.1?

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

PCI DSS Top 10 Reports March 2011

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Cisco Security Optimization Service

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

White Paper The Dynamic Nature of Virtualization Security

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

PCI Compliance. Top 10 Questions & Answers

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

2011 Forrester Research, Inc. Reproduction Prohibited

Technical Testing. Network Testing DATA SHEET

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

PCI DSS v3.0 Vulnerability & Penetration Testing

SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING

Optimizing Network Vulnerability

Cutting the Cost of Application Security

Data Loss Prevention Program

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

PCI DSS Overview and Solutions. Anwar McEntee

Vulnerability management lifecycle: defining vulnerability management

Penetration Testing //Vulnerability Assessment //Remedy

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Overcoming PCI Compliance Challenges

PCI Compliance Top 10 Questions and Answers

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Things To Do After You ve Been Hacked

IBM QRadar Security Intelligence April 2013

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Extreme Networks Security Analytics G2 Vulnerability Manager

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Penetration Testing. Presented by

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Continuous Network Monitoring

PCI DSS Reporting WHITEPAPER

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Trend Micro. Advanced Security Built for the Cloud

PENETRATION TESTING GUIDE. 1

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

HOW TO PREPARE FOR A PCI DSS AUDIT

Network Segmentation

SecurityMetrics Vision whitepaper

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

CORE Security and GLBA

Vulnerability Management

Payment Card Industry (PCI) Penetration Testing Standard

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

End-user Security Analytics Strengthens Protection with ArcSight

Incident Response. Six Best Practices for Managing Cyber Breaches.

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

Digital Pathways. Penetration Testing

The Nexpose Expert System

Bringing Continuous Security to the Global Enterprise

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

Payment Card Industry Data Security Standard

GFI White Paper PCI-DSS compliance and GFI Software products

IBM Security QRadar Vulnerability Manager

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Why You Need to Test All Your Cloud, Mobile and Web Applications

Making Database Security an IT Security Priority

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

Concierge SIEM Reporting Overview

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Continuous Penetration Testing

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Transcription:

A Simple Guide to Successful Penetration Testing

Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few Key Takeaways! 2

Penetration Testing, Simplified. Permission to pen test ma am How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker simply won t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just a hacking exercise. It s an essential part of your complete risk assessment strategy. 3

Scanning is not Testing. If you re confused about the difference between penetration testing and vulnerability scanning, don t worry you re not alone. The two are related, but pen testing emphasizes gaining as much access as possible, while scanning focuses on identifying areas that are vulnerable to an attack. A person conducting a vulnerability scan will stop just before compromising a target, but a pen tester will go as far as he or she can. 4

Test Well. Penetration tests are typically performed using manual or automated technologies to systematically compromise varying vectors, such as servers, endpoints, web apps, wireless networks, network devices, mobile devices, and other potential points of exposure. Historically, pen testing has implied simply breaking through a network firewall, but it has evolved beyond just getting inside. Modern pen testing solutions allow you to see what damage an attacker can actually do once inside your network. The possibilities are seemingly endless; pivoting from web apps to databases to end-user devices, intercepting Wi-Fi traffic, etc. So, testing all these vectors is required for any successful pen testing program. Pivoting across systems, devices, and applications (vectors) establishes a new source of attack on the compromised target, revealing how chains of exploitable vulnerabilities open paths to your organization s critical systems and data. 5

Test Often. It s a good idea to test at regular intervals; after all you wouldn t skip your own checkup, right? Penetration testing should be performed on a regular basis to create a more consistent and lower-risk security program. In addition to regularly scheduled analysis and assessments required by regulatory mandates, test when: New network infrastructure or applications are added Significant upgrades or modifications are applied to infrastructure or applications New office locations are established Security patches are applied End user policies are modified 6

Pen Test to Avoid a Mess. Intelligently manage vulnerabilities Through penetration testing, you can proactively identify the most exploitable vulnerabilities and eliminate false positives. This allows your organization to prioritize remediation efforts, apply needed security patches, and efficiently allocate security resources. Avoid the cost of network downtime Recovering from a security breach can cost your organization big time customer protection and retention, legal activities, discouraged business partners, lowered employee productivity, and reduced revenue just to name a few pitfalls. Pen testing helps you avoid these financial drawbacks by identifying and addressing risks before attacks or security breaches occur. Meet regulatory requirements and avoid fines Penetration testing helps organizations address regulatory requirements such as PCI- DSS. This can be a formidable task requiring a combination of resources, time, and a little bit of planning. Detailed reports showing test results and validating remediation efforts can help you avoid significant fines for non-compliance and allow you to illustrate ongoing due diligence to assessors. Preserve corporate image and customer loyalty Even a single incident of compromised customer data can be costly in terms of lost revenue and a tarnished brand image. With customer retention costs higher than ever, no one wants to lose the loyal users that they ve worked hard to earn, and data breaches are likely to impact new business efforts. Penetration testing helps you dodge these avoidable incidents that put your organization s reputation and trustworthiness at stake. 7

A pen test can be broadly carried out by following a sixphase methodology: Planning and Preparation, Discovery, Penetration PENETRATION TESTING METHODOLOGY Attempt, Analysis and Reporting, Clean Up, and finally Remediation. Pen testing is not a guessing game. " Like everything in information security, there s a process. 8

Planning and Preparation Clear goals equal clear results Meet with your team to discuss the scope, objective, and who will be involved in the testing. Before diving in, you must decide on a clear objective and of course get authorization from IT operations. Scoping After setting a distinct goal, such as exploiting recently discovered vulnerabilities in your shiny new HR application, the next action is scoping. Identify the machines, systems and network, operational requirements and the staff involved. The way in which the pen test results will be illustrated should also be decided. Discussing timing and coordinating with IT operations is vital, as it will ensure that while the penetration tests are being conducted, business as usual remains business as usual. Discovery Obtain open, accessible data from your targets. It s time to get vulnerable! During this phase, the team performs reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target. There are many ways to gather this data and it depends on the target (Network, Web, or Client). Network Discovery: Attempt to discover additional systems, servers, and devices Host Discovery: Determine open ports on these devices Service Interrogation: Interrogate ports to find actual services running on them A penetration tester will most likely use automated tools to scan target assets for known vulnerabilities. These tools will most likely have their own databases detailing the latest vulnerabilities. Completion of this vulnerability assessment will produce a list of targets to investigate in depth. Sometimes the results from these scans can be overwhelming, with thousands or even tens of thousands of assets and vulnerabilities. So, it s important to ensure you have effective prioritization methods in place that can provide contextual information behind these vulnerabilities to equip you with the information you need to make a decision on what to test first. 9

Penetration Attempt Exploit-a-thon. Knowing a vulnerability exists on a target doesn t necessarily mean it can be exploited easily. So, it s not always possible to successfully penetrate even if it is theoretically possible. Exploits that do exist should be tested on the target before conducting any other tests. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits on other internal resources. Very often this is achieved through higher levels of security clearance and information via privilege escalation. The penetration attempts don t end here. Organized social engineering campaigns with phishing emails can also be effective at gauging employee awareness, the impact of their behavior, and adherence to existing security controls. Analysis and Reporting So, tell us all what you found. The report should start with an overview of the penetration testing process, followed by an analysis of high-risk vulnerabilities. These critical vulnerabilities are addressed first with lower-risk vulnerabilities following in suit. To strengthen the decision making process, vulnerability prioritization is a must. Organizations may accept the risk incurred from less critical vulnerabilities and focus on fixing the most critical that could negatively impact business processes. The other contents of the report should be as follows: Summary of successful penetration scenarios Detailed listing of information gathered during penetration testing Detailed listing of vulnerabilities found Description of all vulnerabilities found Suggestions and techniques to resolve vulnerabilities found 10

Clean Up Go Clean Your Room! Unfortunately, messes can happen as a result of pen testing. A detailed and exact list of actions performed during the penetration test should be recorded. Compromised hosts should be restored to their original state, so they don t negatively impact the organization s operations. This activity should be verified by the staff to ensure it has been done successfully. Poor practices and improperly documented actions during a penetration test will result in a long, painful clean up process. Remediation Patch it up. Patching is vital. The final phase of the six-phase penetration testing methodology is all about remediation. Once the testing exercises have been completed on the target systems, all available patches should be deployed according to the criticality of the vulnerability. The vulnerability reports resulting from the previous phase will show exactly which exploits were executed, the host they were found on, and the name of the vulnerability (CVE) if there is one. After patches have been deployed, it is a best practice to validate remediated vulnerabilities to ensure they were properly mitigated. All available patches should be deployed according to the criticality of the vulnerability. 11

Key Takeaways 1. Go beyond network testing, please. 2. Vulnerability scanning is not penetration testing. 3. Conduct penetration testing as often as necessary. 4. Follow the steps: Penetration testing is an art form, but it s vital to follow a methodology to ensure success. 5. When the penetration test is complete, make sure to clean up after yourself. 6. Remember to validate remediated vulnerabilities to ensure they were properly mitigated. 12

The value you can gain from conducting a penetration test is often dependent on your organization s choice in a partner. Core Impact Pro is the most comprehensive multi-vector solution for assessing and testing security vulnerabilities throughout your organization. Leveraging commercial-grade exploits, users can take security testing to the next level when assessing and validating security vulnerabilities. We can help you Think Like An Attacker and protect your most critical business assets. GET MORE INFO Share this ebook! 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information