Click here to load reader
Date post: | 08-Nov-2014 |
Category: |
Documents |
Upload: | adrianfurtuna |
View: | 104 times |
Download: | 1 times |
Click here to load reader
Penetration Testing
in Romania
Adrian Furtunǎ, Ph.D.
2 November 2011
CYBERTHREATS 2011
SECURITATEA INFORMATICĂ
ÎNTRE EXTREME.
ROLUL SERVICIILOR ŞI
AL PREVENŢIEI
2 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Agenda
About penetration testing
Examples
Q & A
3 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
What is penetration testing?
Method for evaluating the security of an information system or
network by simulating attacks from malicious outsiders or
insiders.
Related terms:
Penetration testing (RO: teste de penetrare,
Pentesting teste de intruziune)
Ethical hacking
Tiger Teaming
Red Teaming
Penetration testing is not Vulnerability assessment
Penetration testing is:
authorized
adversary-based
ethical (for defensive purposes)
4 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Motivation. Why? When?
Verify the effectiveness of protection mechanisms implemented
Application security mechanisms
Server configurations
Network configurations
Employee security awareness
Physical security
Test the ability of system defenders to detect and respond to attacks
Obtain a reliable basis for investments in security personnel and technology
Required by ISO 27001, PCI DSS, etc
As part of risk assessment for risk identification and quantification
As part of ongoing/periodic security assessment
Before a new system is put in production
In the development phase of a new system
5 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Penetration testing objectives and targets (examples)
External penetration test:
Test the security of internet banking / mobile banking apps
Evaluate the security of internet facing applications
Perform fraudulent transactions in online shops
Access personal data in online medical applications
Gain physical access to company building and install rogue access point
Internal penetration test:
Obtain access to database server containing customer information
Gain control of Active Directory
Obtain administrative access to ERP application
Gain access to company assets (sensitive files, project plans, intellectual property)
6 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Penetration testing by example
Insufficient input
validation
Insecure session
configuration
Application logic
flaws
Insecure server
configuration
Internet
Banking
application
External attacker
- hacker
- industrial espionage
- organized crime
Internal attacker
- malicious employee
- collaborator
- consultant
- visitor
Threats Vulnerabilities Risks Assets
Vulnerable?
Exploitable?
SQL injection
OS command
execution
Authentication
bypass
Cross Site
Scripting
Password
autocomplete
Directory
browsing
H
H
H
M
M
L
7 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Penetration testing types
According to attacker’s
location:
According to attacker’s
initial information:
External pentest
Internal pentest
Black box test
Gray box test
White box test
Simulated threats
Hackers, corporate espionage,
terrorists, organized crime
Malicious employee, collaborator,
consultant, visitor
Hackers, organized crime, terrorists,
visitors
Consultants, corporate espionage,
business partner, regular employees
Malicious system administrators,
developers, consultants
Test type
According to the attacks performed: - pure technical
- social engineering
- denial of service
8 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
How?
Information gathering
Create attack trees
Prepare tools
Perform collaborative attacks
Identify vulnerabilities
Exploit vulnerabilities
Extract sensitive data
Gain system access
Escalate privileges
Pivot to other systems
Write the report
9 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Automated vs. Manual
Automated testing:
Configure scanner
Run scanner & wait for results
(Validate findings where possible)
Deliver report to client
Manual testing:
Use tools as helpers only
Validate findings by exploitation (no false positives)
Dig for sensitive data, escalate privileges, gain access to other systems
Model and simulate real threats: simulate attacker’s way of thinking, consider attacker’s resources, knowledge, culture, motivation
Several manual tests for exploitation of specific vulnerabilities
Strict control, logging, quick feedback
Interpret the findings according to business impact
10 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Resources
Dedicated machines
Dedicated network
Software tools:
In-house developed
Open source
Commercial
Dedicated workspace (IT Security Laboratory)
Protect client data
Logging facility
11 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Limitations
Timeframe
Budget
Resources
Personnel awareness
Things change
Does not discover all vulnerabilities but reduces the
number of vulnerabilities that could be found by high
skilled attackers having similar resources and knowledge
Known
Vulnerabilities
All software
vulnerabilities
12 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Reporting
Executive summary
Overview
Key findings
High-level observations
Risk matrix
Technical report
Findings
Risks
Recommendations
Present report to client
13 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Best Practice, Standards, Certifications and Knowledge
Security testing standards:
OSSTMM - Open Source Security Testing Methodology Manual
NIST 800-42 - The National Institute of Standards and Technology Special Publication
OWASP - The Open Web Application Security Project
Certifications:
Offensive Security OSCE, OSCP, OSWP
ISECOM OPST
SANS GPEN, GWAPT
EC-Council LPT, CEH
CHECK Team Leader, Team Member
CREST Registered Tester, Certified Tester
Knowledge:
System administration
Network administration
Software development
Quality assurance / software testing
14 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Examples (1): Outdated CMS allows unauthorized file upload
15 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Examples (2): Arbitrary file download
16 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Example (3): Gaining access to development servers
17 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Example (4): Application logic flaw
18 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Example (5): Social engineering
19 ©2011 KPMG Romania SRL, a Romanian limited liability company and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative("KPMG International"), a Swiss entity. All rights reserved. PDC no.8229.
Example (6): Gaining root access
Thank you!
Questions?
Adrian Furtunǎ, Ph.D.
[email protected] © 2011 KPMG Romania, a Romanian limited liability company
and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity All rights reserved
The information contained herein is of a general nature and is
not intended to address the circumstances of any particular
individual or entity Although we endeavor to provide accurate
and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will
continue to be accurate in the future No one should act on such
information without appropriate professional advice after a
thorough examination of the particular situation