1 / 30

Penetration Testing

Penetration Testing. University of Sunderland CSEM02 Harry R Erwin, PhD. Resources. Qinetiq Information Security Foundation Course (2002) Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2 nd edition, Sybex

tiponya-gonzalez
Télécharger la présentation

Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD

  2. Resources • Qinetiq Information Security Foundation Course (2002) • Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2nd edition, Sybex • Whittaker and Thompson, 2004, How to Break Software Security, Pearson

  3. Definition • An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff. (Tittle et al., 2004)

  4. General Comments • Usually done to give management a ‘warm and fuzzy’ feeling about the security of their system. • Expensive • Does not substitute for good security testing or for good security design. • This discussion will be of how it is done.

  5. General Approach • The members of the team first scope the penetration test. This includes: • Consultation with the customer about the specific type of testing to be performed. • On-site • Remote • Application • Telecommunications • Hybrid • Number of hosts to be tested • Timescale

  6. Penetration Testing Services • Begins with a tailored security health check (SHC), comprised of part or all of: • Network security health check • Onsite • Remote • Application security health check • Telecommunications security health check • Should be flexible and appropriate

  7. Network SHC • Location can be remote or onsite • Starts with public records • RIPE/DNS/Google (you’ve seen this demonstrated) • Network assessment • Architecture • Gateways (RIP/OSPF) • Firewalls (ACL/rules) • Protocols • IP range • Anomalies

  8. Network Testing • If onsite, you will need to conduct on-host audits • Windows • Unix • Infrastructure management should also be assessed • Remote/terminal/back-end management • Should include a comprehensive configuration review and recommendations

  9. Network Testing • Host assessment • Identify the live hosts. • Apply operating system fingerprinting to identify potential vulnerabilities. • Determine the trust relationships. • Service assessment • Services offered. • Anomalies and vulnerabilities.

  10. Network Testing • Vulnerability assessment • Automated tools? • Manual determination • Risk assessment of data flow

  11. Application Testing • What applications are running? • By server type • Stovepipe or specialized systems • Protocols • Session and authentication handling • Default scripts and generic vulnerabilities

  12. Authentication Analysis • Session handling • Session identifier—how predictable and identifiable, can it be brute forced, can it be replicated? • Session timeout • Comparison to best practices • Correctly implemented? • Predictable secret values? • Is brute force blocked? • Password complexity adequate?

  13. Transactional Security • Can transactions be identified in the data stream? • How much information can be derived from them? • What happens when • Transactions are replicated • Transactions are injected • Transactions are deleted

  14. Source Code Review • Logical analysis • Control flow • Functionality • Information leakage • Error messages • Input validation • Bad input • Bypass • Drilling through • Expensive in time and money. Pay me now, or pay me later. It costs more later.

  15. Telecomms Testing • War-dialing and modem detection • Identified modems need to be inventoried • PABX audit looks for: • Toll fraud • Call redirection • Remote reconfiguration • Trunk line configuration

  16. Penetration Test Process • Scope/preparation • Briefing • Physical test • Knowledge transfer and education • Diagnosis • Debriefing • Report

  17. Scope/Preparation • Scope and scale the test • Establish deadlines and schedules • Sign contract • Conduct test planning • Risk and perceived threat • Technology • Identify and deploy necessary skills

  18. Initial Briefing • Meet technical staff • Collect contact information • Describe the test • Identify areas of concern • Maintain contact • Track major user issues • Be open

  19. Physical Test • Evaluate the network • IP range • Subnets • Automated tests (nessus/nmap) • Hands-on tests • Prior experience of testers • Trust analysis • Exploits

  20. Debriefing • Evaluated automated results • Assess anomalies • Ensure full scope of testing has been completed • Make sure the nature of any successful penetration is clear to the customer

  21. Closure • Make sure all experts/managers are involved. • Discuss all results • Identify who receives reports • Provide contact details • Prepare report • When due, what, and follow-up.

  22. Conducting the Test • Identify target and goal • Gather information • Identify potential routes into network • Test potential routes • Capture target

  23. Identify Target and Goal • Targets • What is to be attacked? • Goals • Compromise • Privacy-sensitive data • Defacement • Denial of service • Fraud

  24. Information Gathering • Resources include: • RIPE (Europe) • ARIN (US) • DNS • IRC (technical chat rooms) • Phone books • Public business records • Trash cans • Google (which you’ve seen)

  25. Potential Routes • Social engineering • Open sources • Newsgroups and papers published • Use this to plan the penetration • Play the role • Create trust

  26. Telecomms • War-dialing to identify modems • Voice mail

  27. Mapping • Identify servers and subnets • Evaluate firewalls and routers • Each route in needs to be assessed • Firewalls • Protection • Access • Speed • Special circumstances

  28. Capture Target • Develop detailed capture scenario • Take into account vulnerabilities and special circumstances • Implement Usually, you will demonstrate the initial access point vulnerability, give the administrators time to fix it, and continue from the access point to the target.

  29. What Allows This to Succeed? • Public data • Uneducated staff • Misconfigured servers • Misconfigured boundary protection • Lack of IDS • Patches not implemented

  30. Countermeasures • Have your security reviewed • Educate users and staff • Implement authentication, access control, and audit • Use an IDS • Code reviews • Keep private data private

More Related