1 / 25

Network Penetration Testing

Network Penetration Testing. Jack Jones, CISSP, CISA Director of Information Security Nationwide. Purpose. The Network Penetration Test What it is... What it isn’t… What it should be... How to get the most from it. Agenda. Defining the Penetration Test Attack Profiles

nizana
Télécharger la présentation

Network Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Penetration Testing Jack Jones, CISSP, CISA Director of Information Security Nationwide

  2. Purpose • The Network Penetration Test • What it is... • What it isn’t… • What it should be... • How to get the most from it...

  3. Agenda • Defining the Penetration Test • Attack Profiles • Engagement Approach • Vendor Selection • Rules of Engagement • Reporting • Making Use of the Results

  4. Defining the Test • Three Primary Purposes... • “Punching a Ticket” • Proving a Point • Testing

  5. Defining the Test • Understand the Limitations • Point-in-time snapshot • Can NEVER be considered 100% comprehensive • Constrained by time and resources

  6. Defining the Test • Setting Test Goals • Audit versus validation • What constitutes success/failure? • Breach the perimeter? • Gain control? • Access critical or sensitive data? • All of the above (a.k.a. unrestricted)? • Technical versus operational emphasis

  7. Attack Profiles • External Testing • Internet • Dial-up • Other (e.g., via trusted networks...) • Internal Testing • Social Engineering • Denial of Service (DoS) • Applications?

  8. Approach Overt versus Covert? Informed versus Blind? Pre-assessment versus Post-assessment?

  9. Approach • Overt Advantage • Better coordination = less risk • Covert Advantages • More accurate results • Better test of personnel and procedure

  10. Approach • Informed Advantages • Better use of engagement time/resources • More thorough results • Less risk • Levels the playing field... • Blind Advantages…

  11. Approach • Pre-assessment Advantages • More realistic results • More effective for proving a point • Post-assessment Advantage • Better as a test/audit • More thorough

  12. Vendor Selection Everybody seems to offer it. How to choose?

  13. Vendor Selection • Keys to finding the right vendor… • Experience (who) • Methodology (how) • Rationale (why) • How much ($$$)

  14. Vendor Selection • Experience • No ex-hackers…please • Professional organizations • Strong technical backgrounds • Certifications are a plus

  15. Vendor Selection • Methodology • Engagement Approach • Attack Profiles • Tools (commercial versus proprietary) • Communication • Reporting

  16. Vendor Selection • Rationale • Not all penetration tests are created equal... • Why THEIR methodology • Make them explain it to you

  17. Rules of Engagement The First Rule of Medicine “Do No Harm”

  18. Rules of Engagement • Lessen Risk of... • Accidental Denial of Service • Destruction of Data • Better results • Clearer Communications & Expectations • Greater Flexibility • Due Diligence!

  19. Rules of Engagement • Critical Rules • Clearly defined goals • Scope • What is off-limits (systems, networks, data, activities) • Timing • Lines of communication • Issue resolution

  20. Reporting What’s That Again?

  21. Reporting • Reporting is key to realizing value • Reports Should NOT be... • Computer-generated boiler-plate

  22. Reporting • Reports Should Have... • No false positives • Prioritized results • Separate executive and technical sections • Exposures described in terms of business risk! • Resolution resource requirements • Real-world recommendations

  23. Using the Results Why Were We Doing This in the First Place?

  24. Using the Results • Identify and Understand… • Were the goals met? • Is further assessment required? • What are the most severe exposures? • Resolution Efforts… • Prioritized from a cost/risk perspective • Sponsored by management • Implemented!

  25. Questions?

More Related