400 likes | 722 Views
Penetration Testing. University of Sunderland CSEM02 Harry R Erwin, PhD. Resources. Qinetiq Information Security Foundation Course (2002) Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2 nd edition, Sybex
E N D
Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD
Resources • Qinetiq Information Security Foundation Course (2002) • Tittle, Stewart, and Chapple, 2004, CISSP: Certified Information Systems Security Professional Study Guide, 2nd edition, Sybex • Whittaker and Thompson, 2004, How to Break Software Security, Pearson
Definition • An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff. (Tittle et al., 2004)
General Comments • Usually done to give management a ‘warm and fuzzy’ feeling about the security of their system. • Expensive • Does not substitute for good security testing or for good security design. • This discussion will be of how it is done.
General Approach • The members of the team first scope the penetration test. This includes: • Consultation with the customer about the specific type of testing to be performed. • On-site • Remote • Application • Telecommunications • Hybrid • Number of hosts to be tested • Timescale
Penetration Testing Services • Begins with a tailored security health check (SHC), comprised of part or all of: • Network security health check • Onsite • Remote • Application security health check • Telecommunications security health check • Should be flexible and appropriate
Network SHC • Location can be remote or onsite • Starts with public records • RIPE/DNS/Google (you’ve seen this demonstrated) • Network assessment • Architecture • Gateways (RIP/OSPF) • Firewalls (ACL/rules) • Protocols • IP range • Anomalies
Network Testing • If onsite, you will need to conduct on-host audits • Windows • Unix • Infrastructure management should also be assessed • Remote/terminal/back-end management • Should include a comprehensive configuration review and recommendations
Network Testing • Host assessment • Identify the live hosts. • Apply operating system fingerprinting to identify potential vulnerabilities. • Determine the trust relationships. • Service assessment • Services offered. • Anomalies and vulnerabilities.
Network Testing • Vulnerability assessment • Automated tools? • Manual determination • Risk assessment of data flow
Application Testing • What applications are running? • By server type • Stovepipe or specialized systems • Protocols • Session and authentication handling • Default scripts and generic vulnerabilities
Authentication Analysis • Session handling • Session identifier—how predictable and identifiable, can it be brute forced, can it be replicated? • Session timeout • Comparison to best practices • Correctly implemented? • Predictable secret values? • Is brute force blocked? • Password complexity adequate?
Transactional Security • Can transactions be identified in the data stream? • How much information can be derived from them? • What happens when • Transactions are replicated • Transactions are injected • Transactions are deleted
Source Code Review • Logical analysis • Control flow • Functionality • Information leakage • Error messages • Input validation • Bad input • Bypass • Drilling through • Expensive in time and money. Pay me now, or pay me later. It costs more later.
Telecomms Testing • War-dialing and modem detection • Identified modems need to be inventoried • PABX audit looks for: • Toll fraud • Call redirection • Remote reconfiguration • Trunk line configuration
Penetration Test Process • Scope/preparation • Briefing • Physical test • Knowledge transfer and education • Diagnosis • Debriefing • Report
Scope/Preparation • Scope and scale the test • Establish deadlines and schedules • Sign contract • Conduct test planning • Risk and perceived threat • Technology • Identify and deploy necessary skills
Initial Briefing • Meet technical staff • Collect contact information • Describe the test • Identify areas of concern • Maintain contact • Track major user issues • Be open
Physical Test • Evaluate the network • IP range • Subnets • Automated tests (nessus/nmap) • Hands-on tests • Prior experience of testers • Trust analysis • Exploits
Debriefing • Evaluated automated results • Assess anomalies • Ensure full scope of testing has been completed • Make sure the nature of any successful penetration is clear to the customer
Closure • Make sure all experts/managers are involved. • Discuss all results • Identify who receives reports • Provide contact details • Prepare report • When due, what, and follow-up.
Conducting the Test • Identify target and goal • Gather information • Identify potential routes into network • Test potential routes • Capture target
Identify Target and Goal • Targets • What is to be attacked? • Goals • Compromise • Privacy-sensitive data • Defacement • Denial of service • Fraud
Information Gathering • Resources include: • RIPE (Europe) • ARIN (US) • DNS • IRC (technical chat rooms) • Phone books • Public business records • Trash cans • Google (which you’ve seen)
Potential Routes • Social engineering • Open sources • Newsgroups and papers published • Use this to plan the penetration • Play the role • Create trust
Telecomms • War-dialing to identify modems • Voice mail
Mapping • Identify servers and subnets • Evaluate firewalls and routers • Each route in needs to be assessed • Firewalls • Protection • Access • Speed • Special circumstances
Capture Target • Develop detailed capture scenario • Take into account vulnerabilities and special circumstances • Implement Usually, you will demonstrate the initial access point vulnerability, give the administrators time to fix it, and continue from the access point to the target.
What Allows This to Succeed? • Public data • Uneducated staff • Misconfigured servers • Misconfigured boundary protection • Lack of IDS • Patches not implemented
Countermeasures • Have your security reviewed • Educate users and staff • Implement authentication, access control, and audit • Use an IDS • Code reviews • Keep private data private