Penetration Testing in Romania

Penetration Testing in Romania
Adrian Furtun, Ph.D.

2 November 2011
CYBERTHREATS 2011 SECURITATEA INFORMATIC NTRE EXTREME.
ROLUL SERVICIILOR I AL PREVENIEI
Agenda
About penetration testing Examples Q&A
2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
What is penetration testing?

Method for evaluating the security of an information system or network by simulating attacks from malicious outsiders or insiders. Related terms:
Penetration testing Pentesting

Ethical hacking Tiger Teaming Red Teaming
(RO: teste de penetrare, teste de intruziune)
Penetration testing is not Vulnerability assessment

Penetration testing is:
authorized adversary-based ethical (for defensive purposes)
Motivation. Why? When?

Verify the effectiveness of protection mechanisms implemented Application security mechanisms Server configurations Network configurations Employee security awareness Physical security Test the ability of system defenders to detect and respond to attacks Obtain a reliable basis for investments in security personnel and technology
Required by ISO 27001, PCI DSS, etc

As part of risk assessment for risk identification and quantification
As part of ongoing/periodic security assessment

Before a new system is put in production In the development phase of a new system
Penetration testing objectives and targets (examples)

External penetration test: Test the security of internet banking / mobile banking apps
Evaluate the security of internet facing applications

Perform fraudulent transactions in online shops
Access personal data in online medical applications

Gain physical access to company building and install rogue access point Internal penetration test: Obtain access to database server containing customer information
Gain control of Active Directory

Obtain administrative access to ERP application
Gain access to company assets (sensitive files, project plans, intellectual property)
Penetration testing by example

Threats
Vulnerabilities
Assets
Risks
Vulnerable? Exploitable? SQL injection H H
External attacker - hacker - industrial espionage - organized crime
Insufficient input validation
OS command execution
Insecure session configuration
Internal attacker - malicious employee - collaborator - consultant - visitor
Application logic flaws
Internet Banking application
Authentication bypass Cross Site Scripting

Directory browsing Password autocomplete
Insecure server configuration
L
6
Penetration testing types
Test type
Simulated threats
Hackers, corporate espionage, terrorists, organized crime Malicious employee, collaborator, consultant, visitor
According to attackers location:
External pentest
Internal pentest
According to attackers initial information:
Black box test

Gray box test White box test
Hackers, organized crime, terrorists, visitors Consultants, corporate espionage, business partner, regular employees Malicious system administrators, developers, consultants
According to the attacks performed: - pure technical

- social engineering
- denial of service
How?
Information gathering
Create attack trees

Prepare tools Perform collaborative attacks Identify vulnerabilities Exploit vulnerabilities Extract sensitive data
Gain system access

Escalate privileges
Pivot to other systems

Write the report
Automated vs. Manual

Automated testing: Configure scanner Run scanner & wait for results (Validate findings where possible) Deliver report to client Manual testing: Use tools as helpers only Validate findings by exploitation (no false positives) Dig for sensitive data, escalate privileges, gain access to other systems Model and simulate real threats: simulate attackers way of thinking, consider attackers resources, knowledge, culture, motivation Several manual tests for exploitation of specific vulnerabilities
Strict control, logging, quick feedback

Interpret the findings according to business impact
Resources
Dedicated machines Dedicated network Software tools: In-house developed Open source
Commercial
Dedicated workspace (IT Security Laboratory)
Protect client data

Logging facility
10
Limitations
Timeframe Budget Resources Personnel awareness Things change
Known Vulnerabilities
All software vulnerabilities
Does not discover all vulnerabilities but reduces the number of vulnerabilities that could be found by high skilled attackers having similar resources and knowledge
11
Reporting
Executive summary Overview Key findings High-level observations Risk matrix
Technical report
Findings
Risks
Recommendations
Present report to client
12
Best Practice, Standards, Certifications and Knowledge

Security testing standards:
OSSTMM - Open Source Security Testing Methodology Manual NIST 800-42 - The National Institute of Standards and Technology Special Publication OWASP - The Open Web Application Security Project Certifications: Offensive Security OSCE, OSCP, OSWP ISECOM OPST SANS GPEN, GWAPT EC-Council LPT, CEH CHECK Team Leader, Team Member CREST Registered Tester, Certified Tester
Knowledge:
System administration
Network administration
Software development Quality assurance / software testing
13
Examples (1): Outdated CMS allows unauthorized file upload
14
Examples (2): Arbitrary file download
15
Example (3): Gaining access to development servers
16
Example (4): Application logic flaw
17
Example (5): Social engineering
18
Example (6): Gaining root access
19
Thank you! Questions?
Adrian Furtun, Ph.D.

afurtuna@kpmg.com
2011 KPMG Romania, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity All rights reserved The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future No one should act on such information without appropriate professional advice after a thorough examination of the particular situation

Penetration Testing in Romania

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Penetration Testing in Romania

Hochgeladen von

Copyright:

Verfügbare Formate

Penetration Testing in Romania

Adrian Furtun, Ph.D.

CYBERTHREATS 2011 SECURITATEA INFORMATIC NTRE EXTREME.

ROLUL SERVICIILOR I AL PREVENIEI

About penetration testing Examples Q&A

What is penetration testing?

Penetration testing Pentesting

(RO: teste de penetrare, teste de intruziune)

Penetration testing is not Vulnerability assessment

authorized adversary-based ethical (for defensive purposes)

Motivation. Why? When?

Required by ISO 27001, PCI DSS, etc

As part of ongoing/periodic security assessment

Penetration testing objectives and targets (examples)

Evaluate the security of internet facing applications

Access personal data in online medical applications

Gain control of Active Directory

Penetration testing by example

External attacker - hacker - industrial espionage - organized crime

Insufficient input validation

Insecure session configuration

Internal attacker - malicious employee - collaborator - consultant - visitor

Application logic flaws

Internet Banking application

Authentication bypass Cross Site Scripting

Insecure server configuration

Penetration testing types

According to attackers location:

According to attackers initial information:

Black box test

According to the attacks performed: - pure technical

Create attack trees

Gain system access

Pivot to other systems

Automated vs. Manual

Strict control, logging, quick feedback

Protect client data

All software vulnerabilities

Present report to client

Best Practice, Standards, Certifications and Knowledge

Examples (1): Outdated CMS allows unauthorized file upload

Examples (2): Arbitrary file download

Example (3): Gaining access to development servers

Example (4): Application logic flaw

Example (5): Social engineering

Example (6): Gaining root access

Thank you! Questions?

Adrian Furtun, Ph.D.

Das könnte Ihnen auch gefallen