Penetration Testing in Romania

Penetration Testing

in Romania

Adrian Furtunǎ, Ph.D.

2 November 2011

CYBERTHREATS 2011

SECURITATEA INFORMATICĂ

ÎNTRE EXTREME.

ROLUL SERVICIILOR ŞI

AL PREVENŢIEI

2 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated

with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.

Agenda

About penetration testing

Examples

Q & A



What is penetration testing?

Method for evaluating the security of an information system or

network by simulating attacks from malicious outsiders or

insiders.

Related terms:

Penetration testing (RO: teste de penetrare,

Pentesting teste de intruziune)

Ethical hacking

Tiger Teaming

Red Teaming

Penetration testing is not Vulnerability assessment

Penetration testing is:

authorized

adversary-based

ethical (for defensive purposes)



Motivation. Why? When?

Verify the effectiveness of protection mechanisms implemented

Application security mechanisms

Server configurations

Network configurations

Employee security awareness

Physical security

Test the ability of system defenders to detect and respond to attacks

Obtain a reliable basis for investments in security personnel and technology

Required by ISO 27001, PCI DSS, etc

As part of risk assessment for risk identification and quantification

As part of ongoing/periodic security assessment

Before a new system is put in production

In the development phase of a new system



Penetration testing objectives and targets (examples)

External penetration test:

Test the security of internet banking / mobile banking apps

Evaluate the security of internet facing applications

Perform fraudulent transactions in online shops

Access personal data in online medical applications

Gain physical access to company building and install rogue access point

Internal penetration test:

Obtain access to database server containing customer information

Gain control of Active Directory

Obtain administrative access to ERP application

Gain access to company assets (sensitive files, project plans, intellectual property)



Penetration testing by example

Insufficient input

validation

Insecure session

configuration

Application logic

flaws

Insecure server

configuration

Internet

Banking

application

External attacker

- hacker

- industrial espionage

- organized crime

Internal attacker

- malicious employee

- collaborator

- consultant

- visitor

Threats Vulnerabilities Risks Assets

Vulnerable?

Exploitable?

SQL injection

OS command

execution

Authentication

bypass

Cross Site

Scripting

Password

autocomplete

Directory

browsing

H

H

H

M

M

L



Penetration testing types

According to attacker’s

location:

According to attacker’s

initial information:

External pentest

Internal pentest

Black box test

Gray box test

White box test

Simulated threats

Hackers, corporate espionage,

terrorists, organized crime

Malicious employee, collaborator,

consultant, visitor

Hackers, organized crime, terrorists,

visitors

Consultants, corporate espionage,

business partner, regular employees

Malicious system administrators,

developers, consultants

Test type

According to the attacks performed: - pure technical

- social engineering

- denial of service



How?

Information gathering

Create attack trees

Prepare tools

Perform collaborative attacks

Identify vulnerabilities

Exploit vulnerabilities

Extract sensitive data

Gain system access

Escalate privileges

Pivot to other systems

Write the report



Automated vs. Manual

Automated testing:

Configure scanner

Run scanner & wait for results

(Validate findings where possible)

Deliver report to client

Manual testing:

Use tools as helpers only

Validate findings by exploitation (no false positives)

Dig for sensitive data, escalate privileges, gain access to other systems

Model and simulate real threats: simulate attacker’s way of thinking, consider attacker’s resources, knowledge, culture, motivation

Several manual tests for exploitation of specific vulnerabilities

Strict control, logging, quick feedback

Interpret the findings according to business impact



Resources

Dedicated machines

Dedicated network

Software tools:

In-house developed

Open source

Commercial

Dedicated workspace (IT Security Laboratory)

Protect client data

Logging facility



Limitations

Timeframe

Budget

Resources

Personnel awareness

Things change

Does not discover all vulnerabilities but reduces the

number of vulnerabilities that could be found by high

skilled attackers having similar resources and knowledge

Known

Vulnerabilities

All software

vulnerabilities



Reporting

Executive summary

Overview

Key findings

High-level observations

Risk matrix

Technical report

Findings

Risks

Recommendations

Present report to client



Best Practice, Standards, Certifications and Knowledge

Security testing standards:

OSSTMM - Open Source Security Testing Methodology Manual

NIST 800-42 - The National Institute of Standards and Technology Special Publication

OWASP - The Open Web Application Security Project

Certifications:

Offensive Security OSCE, OSCP, OSWP

ISECOM OPST

SANS GPEN, GWAPT

EC-Council LPT, CEH

CHECK Team Leader, Team Member

CREST Registered Tester, Certified Tester

Knowledge:

System administration

Network administration

Software development

Quality assurance / software testing



Examples (1): Outdated CMS allows unauthorized file upload



Examples (2): Arbitrary file download



Example (3): Gaining access to development servers



Example (4): Application logic flaw



Example (5): Social engineering



Example (6): Gaining root access

Thank you!

Questions?

Adrian Furtunǎ, Ph.D.

[email protected] © 2011 KPMG Romania, a Romanian limited liability company

and a member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative

(“KPMG International”), a Swiss entity All rights reserved

The information contained herein is of a general nature and is

not intended to address the circumstances of any particular

individual or entity Although we endeavor to provide accurate

and timely information, there can be no guarantee that such

information is accurate as of the date it is received or that it will

continue to be accurate in the future No one should act on such

information without appropriate professional advice after a

thorough examination of the particular situation

Date post:	08-Nov-2014
Category:	Documents
Upload:	adrianfurtuna
View:	104 times
Download:	1 times

Penetration Testing in Romania

Documents