Penetration Testing - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Penetration Testing

Description:

... how predictable and identifiable, can it be brute forced, can it be replicated? ... Is brute force blocked? Password complexity adequate? Transactional Security ... – PowerPoint PPT presentation

Number of Views:262
Avg rating:3.0/5.0
Slides: 31
Provided by: harry8
Category:

less

Transcript and Presenter's Notes

Title: Penetration Testing


1
Penetration Testing
  • University of Sunderland
  • CSEM02
  • Harry R Erwin, PhD

2
Resources
  • Qinetiq Information Security Foundation Course
    (2002)
  • Tittle, Stewart, and Chapple, 2004, CISSP
    Certified Information Systems Security
    Professional Study Guide, 2nd edition, Sybex
  • Whittaker and Thompson, 2004, How to Break
    Software Security, Pearson

3
Definition
  • An activity used to test the strength and
    effectiveness of deployed security measures with
    an authorized attempted intrusion attack.
    Penetration testing should be performed only with
    the consent and knowledge of the management
    staff. (Tittle et al., 2004)

4
General Comments
  • Usually done to give management a warm and
    fuzzy feeling about the security of their
    system.
  • Expensive
  • Does not substitute for good security testing or
    for good security design.
  • This discussion will be of how it is done.

5
General Approach
  • The members of the team first scope the
    penetration test. This includes
  • Consultation with the customer about the specific
    type of testing to be performed.
  • On-site
  • Remote
  • Application
  • Telecommunications
  • Hybrid
  • Number of hosts to be tested
  • Timescale

6
Penetration Testing Services
  • Begins with a tailored security health check
    (SHC), comprised of part or all of
  • Network security health check
  • Onsite
  • Remote
  • Application security health check
  • Telecommunications security health check
  • Should be flexible and appropriate

7
Network SHC
  • Location can be remote or onsite
  • Starts with public records
  • RIPE/DNS/Google (youve seen this demonstrated)
  • Network assessment
  • Architecture
  • Gateways (RIP/OSPF)
  • Firewalls (ACL/rules)
  • Protocols
  • IP range
  • Anomalies

8
Network Testing
  • If onsite, you will need to conduct on-host
    audits
  • Windows
  • Unix
  • Infrastructure management should also be assessed
  • Remote/terminal/back-end management
  • Should include a comprehensive configuration
    review and recommendations

9
Network Testing
  • Host assessment
  • Identify the live hosts.
  • Apply operating system fingerprinting to identify
    potential vulnerabilities.
  • Determine the trust relationships.
  • Service assessment
  • Services offered.
  • Anomalies and vulnerabilities.

10
Network Testing
  • Vulnerability assessment
  • Automated tools?
  • Manual determination
  • Risk assessment of data flow

11
Application Testing
  • What applications are running?
  • By server type
  • Stovepipe or specialized systems
  • Protocols
  • Session and authentication handling
  • Default scripts and generic vulnerabilities

12
Authentication Analysis
  • Session handling
  • Session identifierhow predictable and
    identifiable, can it be brute forced, can it be
    replicated?
  • Session timeout
  • Comparison to best practices
  • Correctly implemented?
  • Predictable secret values?
  • Is brute force blocked?
  • Password complexity adequate?

13
Transactional Security
  • Can transactions be identified in the data
    stream?
  • How much information can be derived from them?
  • What happens when
  • Transactions are replicated
  • Transactions are injected
  • Transactions are deleted

14
Source Code Review
  • Logical analysis
  • Control flow
  • Functionality
  • Information leakage
  • Error messages
  • Input validation
  • Bad input
  • Bypass
  • Drilling through
  • Expensive in time and money.
  • Pay me now, or pay me later. It costs more later.

15
Telecomms Testing
  • War-dialing and modem detection
  • Identified modems need to be inventoried
  • PABX audit looks for
  • Toll fraud
  • Call redirection
  • Remote reconfiguration
  • Trunk line configuration

16
Penetration Test Process
  • Scope/preparation
  • Briefing
  • Physical test
  • Knowledge transfer and education
  • Diagnosis
  • Debriefing
  • Report

17
Scope/Preparation
  • Scope and scale the test
  • Establish deadlines and schedules
  • Sign contract
  • Conduct test planning
  • Risk and perceived threat
  • Technology
  • Identify and deploy necessary skills

18
Initial Briefing
  • Meet technical staff
  • Collect contact information
  • Describe the test
  • Identify areas of concern
  • Maintain contact
  • Track major user issues
  • Be open

19
Physical Test
  • Evaluate the network
  • IP range
  • Subnets
  • Automated tests (nessus/nmap)
  • Hands-on tests
  • Prior experience of testers
  • Trust analysis
  • Exploits

20
Debriefing
  • Evaluated automated results
  • Assess anomalies
  • Ensure full scope of testing has been completed
  • Make sure the nature of any successful
    penetration is clear to the customer

21
Closure
  • Make sure all experts/managers are involved.
  • Discuss all results
  • Identify who receives reports
  • Provide contact details
  • Prepare report
  • When due, what, and follow-up.

22
Conducting the Test
  • Identify target and goal
  • Gather information
  • Identify potential routes into network
  • Test potential routes
  • Capture target

23
Identify Target and Goal
  • Targets
  • What is to be attacked?
  • Goals
  • Compromise
  • Privacy-sensitive data
  • Defacement
  • Denial of service
  • Fraud

24
Information Gathering
  • Resources include
  • RIPE (Europe)
  • ARIN (US)
  • DNS
  • IRC (technical chat rooms)
  • Phone books
  • Public business records
  • Trash cans
  • Google (which youve seen)

25
Potential Routes
  • Social engineering
  • Open sources
  • Newsgroups and papers published
  • Use this to plan the penetration
  • Play the role
  • Create trust

26
Telecomms
  • War-dialing to identify modems
  • Voice mail

27
Mapping
  • Identify servers and subnets
  • Evaluate firewalls and routers
  • Each route in needs to be assessed
  • Firewalls
  • Protection
  • Access
  • Speed
  • Special circumstances

28
Capture Target
  • Develop detailed capture scenario
  • Take into account vulnerabilities and special
    circumstances
  • Implement
  • Usually, you will demonstrate the initial access
    point vulnerability, give the administrators time
    to fix it, and continue from the access point to
    the target.

29
What Allows This to Succeed?
  • Public data
  • Uneducated staff
  • Misconfigured servers
  • Misconfigured boundary protection
  • Lack of IDS
  • Patches not implemented

30
Countermeasures
  • Have your security reviewed
  • Educate users and staff
  • Implement authentication, access control, and
    audit
  • Use an IDS
  • Code reviews
  • Keep private data private
Write a Comment
User Comments (0)
About PowerShow.com