Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | dwayne-heath |
View: | 214 times |
Download: | 0 times |
1K l u g e B u r c h Z i m m e r l i n g
Kluge Burch Zimmerl ingGRC Advisors
Commodity Services Specification
Penetration Testing & Application Security Assessment
January 2015
2K l u g e B u r c h Z i m m e r l i n g
Content
1. Introduction
2. Assessment Workflow
3. Generic Penetration Testing work program
4. Penetration Testing work program for specific host types
5. Penetration Testing work program for network subnets
6. Application Security Assessment
7. Example Report
3K l u g e B u r c h Z i m m e r l i n g
Introduction
This document outlines the work program defining the Penetration Testing and Application Security Assessment Commodities available at www.dimentis.com.
Method of Testing All assessments are performed remotely over the internet.
Reporting Format The report will be issued in a standardized format as outlines in the appendix.
Assessor and Standards Both services are offered by the Partner Companies indicated on our Website. The assessments are performed by experienced testers and are made in accordance with common standards such as OWASP, NIST and BSI.
4K l u g e B u r c h Z i m m e r l i n g
Workflow
You select and order at KBZ website
Order is forwarded to Assessor
Assessor confirms your order
Assessor provides you with secure means of communication for next steps
Your identity and your ownership of the subject of evaluation are confirmed
You communicate the IP addresses of the systems to be tested
Assessor agrees with you the details of the testing such as the time of execution
Assessor performs tests
Assessor provides report via the secure means of communication
ConfirmationOrderDefine Subject of
EvaluationExecution Reporting
1 dayInstantly 1 day 3 days 2 days
Timeline
NB. “day” means working day, Mo-Fr
6K l u g e B u r c h Z i m m e r l i n g
Penetration Testing – Generic Assessment Program
Phase No Objective Testing Steps
1 Information Gathering (I)(According to NIST, BSI)
Research information about the target system.Method: Search Engines, Forums, Tools e.g. Dig, Nslookup
2 Information Gathering (II) Scan target systems and their ports to detect services they offer.Method: Nmap, Hping, other Portscanners
3 Fingerprinting Method: Vulnerability Scanning Software such as Qualis, OpenVAS, Nessus, NMap
4 Vulnerability Research Research system vulnerabilities based on the information gathered.Method: Vulnerability Scanning Software, CVE DB, VulnDB, Exploit DB
5 Verification and Exploiting Verification and exploiting of found vulnerabilitiesMethod: Individually, depending on system and vulnerabilities found
This Generic Assessment Program describes the basic steps for penetration testing irrespective of the host type. It assumes an approach without authentication credentials and involves manual testing and verification of vulnerabilities found. Host specific testing and the Application Security Assessment use this program as starting point.
7K l u g e B u r c h Z i m m e r l i n g
Tests for Specific Host Types
Host Type Testing Steps
Manual Verification Testing of logon mechanisms and forms for SQL Injection and XSS Additional tests based on OWASP Top 10
Mail Server Generic Work Program SMTP Tests e.g. relaying Mail & Malware Tests. Authentication credentials required. Sending different file extension samples
and test-malware to test filtering Testing active protocols e.g. POP3, IMAP for vulnerabilities
DNS Server Generic Work Program DNS Cache Poisoning DNS spoofing DNS Aplification Attack Recursive Queries DNS Protokoll attacks and Man-in-the-Middle attacks Testing for von data leakage via DNS Server
Remote Access Servere.g. RAS, VPN, OWA
Without authentication credentials
Generic Work Program Testing authentication platform or mechanism Transport encryption Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage
Transfer Server(FTP, SFTP)
With authentication credentials
Generic Work Program Testing Authentication platform or mechanism Reviewing access rights Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage
Others Generic Work Program Determined on a case by case basis depending on the subject of evaluation
9K l u g e B u r c h Z i m m e r l i n g
Subnet Testing
Maximum number of Hosts 50
Testing Approach Generic Work Program, Steps 1-4 Selection of a sample of hosts for more details analysis, Step 5
Description Instead of choosing particular hosts, subnet testing refers to all hosts within the specified subnet. For practicability reasons subnets may not include more than 50 hosts.
As it is unfeasible to test all hosts within the subnet with the same level of detail, this type of testing leaves it to the assessor to chose a sample of hosts that are considered the most vulnerable.
Depending on the type of host and the outcome of the first four steps of the Generic Work Program the assessor will perform a set of targeted tests which are in his professional judgment the most suitable.
11K l u g e B u r c h Z i m m e r l i n g
Application Security Assessment
Description & Scope Manual test and verification of an application using valid authentication credentials.
Comprises: Generic Penetration Test of the hosts system (see previous pages) Assessment of the Applikation against OWASP Top 10 Further assessment depending on effort spent in individual case
Black Box Testing(Web, Mobile) Application only One Operating System
Host testing if necessary Testing of the application according to OWASP Top 10 or OWASP Mobile Top 10 respectively Supplementary tests according to OWASP Testing Guide Exploiting as reasonable in particular case and subject to effort spent
Code Review Review of relevant part of application source code such as Sessions Management and Encoding Review according to OWASP Code Review Guide Project
Full Review Black Box Testing and Code Review combined.
13K l u g e B u r c h Z i m m e r l i n g
Kluge Burch Zimmerling LtdGRC Advisors
Unit 4111PO Box 6945London W1A 6US
+44 (0) 87 097 41 [email protected] www.kluge-partner.com
Registered in England and Wales.
Company No. 9044082
ICO Security No. CSN5134480
VAT No. GB 188 5540 67
Registered Office:22 Village Square, Stockport SK7 1AW, United Kingdom