Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3 0 t r u e d i g i t a l s e c u r i t y. c o m Goals Understanding security testing Penetration test Vulnerability scanning and analysis How to better scope and analyze the scope of a penetration test How to interpret the results of a penetration test 1
Many forms Vulnerability Scanning Vulnerability Assessment Red Teaming Penetration testing Threat models Block box, grey box, white box Scope, rules of engagement What does it all mean!? Vulnerability Scanning (most common) Identifies known vulnerabilities OS Patch Management Application Patch Management System Misconfiguration Ultimately a clean report assumes risk and makes assumptions 2
Problems with Vulnerability Scanning Limited control testing Patch management and known configuration issues Surface evaluation only Yes the building has windows Web applications and custom applications Mismanaged by IT and audit Typically don t address fundamental issues Scanning is the requirement not remediation Not aligned with business value (laptop versus server) Internal versus external viewpoints Credentialed versus unauthenticated 3
Penetration Testing Use this to verify: That configuration standards are adequate Assumptions made by the organization are correct To test the effectiveness of the internal control structure and procedures From the question: are procedures being completed are the procedures adequate Gaps in compliance Test a broader range of internal control procedures 4
Rise of Attacks Applications 2003 Platform 2000 Host 1995 Networking Infrastructure 1990 TCP/IP Penetration Testing Primer Black box, grey box, white box Noisy versus stealthy Disable security features (like IPS) Simulation versus real attacks Credentialed versus unauthenticated Specialized penetration testing Oracle, SCADA, etc. Custom applications or deployments Restricting penetration testing 5
Test what you can control From a real penetration test: JTAGs are sometime not blown Keys embedded in firmware C12.21 authenticated not implemented SNMP, DHCP, dynamic ARP, embedded NTP vulnerabilities Vendor Management is critical Focus on what you can control and validate those controls Assume compromised cellular network encrypted communication Leverage vendors documentation and implementation guides 6
RFP Preparation Number of machines, operating systems, architecture Target of the penetration test Credit card information, certain data set, internal access Specific system or custom application Rules of engagement Social engineering, actual exploit, communication plan Leverage the penetration testing team to build plan Time equals money Black box attack should be a white box attack Stealthy versus noisy IT versus Audit Report What You Need To Know Test the entire process not just response Can your team identify the initial scan? Can your team track the attack? System logs System configuration changes User administration Service up time Adequacy of your Incident Response Plan Map engagement to your security controls to evaluate effectiveness 7
Penetration Test Example Intrusion Detection System Incident Response Firewall Configuration Change Management 8
Intrusion Detection System Anti-Virus Software File Integrity Monitoring Log Management 9
Log Management Intrusion Detection System Anti-Virus Software 10
Log Management Anti-Virus Software File Integrity Monitoring Log Management User Access Control 11
Intrusion Detection System Incident Response Firewall Configuration Change Management Advice to IT Auditors Focus on scope of the test (Vulnerability or Pen) Are you scanning the correct systems? Are vulnerabilities being properly managed? What is the focus of the Pen Test, and what controls are actually being tested? Focus on what you can control SCADA Protocols (Research versus Practical) Vendor Systems Application (Vendor Management) Map engagement to your security controls to evaluate effectiveness Don t try to be a Cisco/Windows/IIS/Application expert! 12
Jerald Dawkins, Ph.D. jdawkins@trueds.com True Digital Security http://www.trueds.com 918-770-7700 13