Effective Penetration Testing Netwerk Guardian LLC Presented by Kevin Pescatello Why it s so important to plan and communicate.
Penetration Testing Survey results from professionals in the field state Most tests have 20% failure rate self/peer ave. Poor communication and planning Failure to follow process Little or no documentation Resistance Legal review of contract and Corporate/IT governance Vulnerability Assessing it s not testing
Why Penetration Testing 2011 Symantec statistics show corporate breach cost 5.5 million Trojans, worms, end user initiated. Imperva -19% DDoS and SQL Injection Verizon 98% attacks from external agents 98% occurred on servers 58% derived from hacktivist
Client X Data Breach
Find a Pen That Fits No one Pen Testing group fits all Unique Strengths and Weaknesses Requesting client needs to know Assets + Processes = Requirements What do you really need tested? Industry Security Standard within reach? ISO 27001/2 FISMA compliance NIST SP800-53v3
Client X Processes
Enabling Events White box with diagrams Manual testing finds more ingress points Good communication plan with limitations Know the effects of tools Documented processes and assets
Inhibiting Events Clients view tests as witch hunts resistance Terminology confusion Running unfamiliar tools No documentation
Test Objectives Server Availability Core Business Application Availability Confidentiality Workstation Confidentiality
Penetration Tests
Penetration Test Schedule The following is an estimate for the test plan. It will take one work day or eight (8) hours to complete the following work Time 08:00-08:30 Target Devices and Services Have all identified targets of evaluation documented Obtain and review prioritized list of services 08:30-09:30 Test Operating Systems Use Microsoft Baseline Security Analyzer Use nmapto discover devices banner grabbing Use Nessus to discover vulnerabilities 09:30-10:30 Test Network Devices Use nmap to discover devices and ports Discover services DoS/DDoS Attack 10:30-12:00 Test Core Business Application Armitage and meterpreter used for testing but not successful. 13:00-14:30 Man in the middle: Appendix F: Sample Contract(Con t) Spoofing & Clear text traffic capturing 14:30-17:00 Contingency Testing, Report with Countermeasures Contingency testing in case one or more test open or deny success Provide results in a brief outlining the test and results Provide Countermeasures
Reverse TCP Shell -Keylogging
Reverse TCP Shell Admin in
Reverse TCP Shell Admin in
Penetration Test Results Application Server Resilient against mild LAN DDoS Integrity - Data is encrypted IIS Service Resilient Workstation Windows 7 Integrity App data is encrypted Susceptible to MITM Susceptible key logging
Countermeasures Summation of Countermeasures 1. NAC Appliance Trustwave 2. Host Based Firewall (Zone Alarms Used) 3. Host based VPN out for secure HTTP 4. Private SSH server
Next Steps Security Planning & Management Have documentation started for ISO C&A Known assets and associated risks Keep going for that standard! Security Management Continuous improvement by managing risk Identifying key risks against critical processes Know your strengths and weakness and when to outsource
Real Life Application Know that not everything is handed to you Security is a constant struggle KSAs require diligence in practice Penetration testing challenges everyone.
References Symantec. (2012). 2011 Annual Study -U.S. Cost of a Data BreachRetrievedfrom http://www.slideshare.net/symantec/2011-annual-study-us-cost-of-a-data-breach-march-2012 Imperva. (2012). Hacker Intelligence Initiative, Monthly Trend Report#13. Retrieved from http://www.imperva.com/docs/hii_monitoring_hacker_forums_2012.pdf Verizon. (2012). 2012 Data breach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Netwerk Guardian LLC Security Effective Penetration Testing Questions?