Enterprise Security / System Integrity

Penetration Testing
Explained

Rand Hirt, CISSP, CISA, GPEN

Sr. Security Analyst - Enterprise Security
1

Enterprise Security / System Integrity

Agenda for Today

What is Penetration Testing?

Definition
Purpose
Connection to Vulnerabilities/Exploits
Types of Pen Tests
Outcomes

Why Pen Test?

Regulatory Requirements
Risk Profile determination

How to Pen Test?

Pen Test Methodology

Reporting
Penetration Testing Framework and PTES
Tools - Open Source
Tools Commercial

Challenges
Takeaways
2

Enterprise Security / System Integrity

What is Penetration Testing?

Definition
Definition = the exact meaning of a word. Despite that,
security testing vendors define their services differently using
the same words, often incorrectly.
Penetration Test = An approach, modeling tactics of realworld bad guys, to find vulnerabilities - then under controlled
circumstances, exploit those vulnerabilities and determine
business risk.
Vulnerability Scan (or Security Assessment) = finding
security vulnerabilities, which may or may not be used to get
in or steal data.
Vulnerability (or Security) Assessment Penetration Test
Penetration test = focus is on actually getting in and/or
stealing data.
3

Enterprise Security / System Integrity

What is Penetration Testing?

continued
Purpose
The ultimate goal is discovering flaws so that they can be
remediated (applying patches, reconfiguring systems,
altering the architecture, changing processes, etc.).

Connection of Vulnerabilities/Exploits to Risk

Threat = an actor or agent that may want to or actually can
cause harm to the targeted organization.
Vulnerability = flaw that an attacker could use to cause
damage.
Exploit = the vehicle by which the attacker uses a
vulnerability to cause damage to the target system.

Enterprise Security / System Integrity

What is Penetration Testing?

continued
Connection to Vulnerabilities/Exploits
How this plays together:

Risk is where threat and vulnerability overlap. That is, we have a

risk when our systems have a vulnerability that a given threat can
attack.
5

Enterprise Security / System Integrity

What is Penetration Testing?

continued
Types of Penetration Tests
Network services test

Most common finding target systems on a network.

Client-Side test

Designed to find exploit client-side software, such as browsers, media players, doc editing programs, etc.

Web Application test

Targets web-based applications in the target environment.

Remote war dial test

Looks for modems in the target environment and includes password guessing to attempt connecting.

Wireless security test

Targets the physical environment to find unauthorized wireless access points or insecure access points.

Social engineering test

Attempts to dupe a user into revealing sensitive information or clicking on a malicious link in an email.

Enterprise Security / System Integrity

What is Penetration Testing?

continued
Outcomes
To be successful, need to express our pen test findings in both
business and technical terms.
For any given risk, decision makers may conclude that, for
business purposes, they will accept a given risk identified
during a test, rather than mitigate the associated
vulnerability. In the end, its a business decision.

Enterprise Security / System Integrity

Why Pen Test?

Regulatory Requirements
Payment Card Industry (PCI) Data Security Standard
(DSS) mandates at least an annual pen test be
performed on the Cardholder Data Environment (CDE),
and/or if significant infrastructure or application
upgrades occur (PCI DSS 11.3).

Enterprise Security / System Integrity

Why Pen Test? - continued

Risk Profile determination
The overall objective is to reduce risk by examining the
companys actual attack surface.
Attack surface = the sum of all potential attack vectors.
Attack vector = any single parameter (that is also vulnerable) that
can be attacked.
EXAMPLE: Networked services like File Transfer Protocol (FTP),
Internet Message Access Protocol (IMAP) and Simple Mail
Transfer Protocol (SMTP) contain unique parameters, each of
which could be exploited if not adequately protected.

Enterprise Security / System Integrity

How to Pen Test?

Pen Test Methodology
1. Scoping/Planning/Goal
Constraints and limitations imposed on the team i.e. Out of scope items,
hardware, IP addresses.
Constraints, limitations or problems encountered by the team during the actual
test

2. Reconnaissance
The tester would attempt to gather as much information as possible about the
selected network. Reconnaissance can take two forms i.e. active and passive.
A passive attack is always the best starting point as this would normally defeat
intrusion detection systems and other forms of protection etc. afforded to the
network. This would usually involve trying to discover publicly available
information by utilizing a web browser and visiting newsgroups etc. An active
form would be more intrusive and may show up in audit logs and may take the
form of an attempted DNS zone transfer or a social engineering type of attack.

10

Enterprise Security / System Integrity

How to Pen Test?- continued

Pen Test Methodology
3. Scanning
By use of vulnerability scanners all discovered hosts would be tested for
vulnerabilities. The result would then be analyzed to determine if there any
vulnerabilities that could be exploited to gain access to a target host on a
network.

4. Exploitation
By use of published exploits or weaknesses found in applications, operating
system and services, access would then be attempted. This may be done
surreptitiously or by more brute force methods. An example of this would be the
use of exploit engines i.e. Metasploit or password cracking tools such as John
the Ripper.

11

Enterprise Security / System Integrity

How to Pen Test? - continued

Pen Test Methodology
5. (optional) Covering Tracks
The ability to erase logs that may have detected the testing teams
attempts to access the network should ideally not be possible. These
logs are the first piece of evidence that may prove that a possible
breach of company security has occurred and should be protected at
all costs. An attempt to erase or alter these logs should prove
unsuccessful to ensure that if a malicious attacker did in fact get
access to the network then their every movement would be recorded.

12

Enterprise Security / System Integrity

How to Pen Test? - continued

Reporting
Reporting is crucial for sharing the findings of the
penetration test. It should not just be a cut & paste
process from the tool. It must have some business
impact analysis as well as quantify the business risk of
the findings.
Reports are not for impressing other pen testers. Its for
operations personnel to understand the risks and help
them mitigate the vulnerabilities.

13

Enterprise Security / System Integrity

How to Pen Test? - continued

Penetration Testing Framework and PTES
Open-source testing methodologies exist:
Open Source Security Testing Methodology Manual
(OSSTMM)
Open Web Application Security Project (OWASP)
Penetration Testing Framework (
www.vulnerabilityassessment.co.uk/Penetration%20Test.html
)
Penetration Testing Execution Standard (
http://pentest-standard.org/index.php/Main_Page)

14

Enterprise Security / System Integrity

How to Pen Test? - continued

Tools - Open Source
Nessus (now commercial version by Tenable Security)
Metasploit (now owned by Rapid7)
Backtrack CD (discontinued Linux distro. with opensource security tools now Kali Linux)

15

Enterprise Security / System Integrity

How to Pen Test? - continued

Tools - Commercial
Immunity CANVAS Pro
WebInspect - HP SPI Dynamics
CORE IMPACT & CORE Insight Enterprise

16

Enterprise Security / System Integrity

Challenges
Bad (RCPT) vs. Good Pen Testing
Really Crappy Pen Test (RCPT) - not thoroughly testing
all attributes of the attack surface, or even worse, using
vulnerability scan results and calling it a penetration
test.
A good pen test is comprehensive and looks at threat
levels at least equal to those likely to be faced in the
wild and performs testing at that level.

17

Enterprise Security / System Integrity

Challenges - continued
Skill level
Real pen testers are highly skilled professional, usually
certified to show competency, use formalized
methodology, and respect the business requirements of
the company.
They view pen testing as a logical, analytical process. It
is not just the output product of an automated scanner
(like the ones discussed earlier).

18

Enterprise Security / System Integrity

Challenges - continued
Potential adverse impacts
The goal of a penetration test is not
to just cause all sorts of damage and
expect that someone else gets to
clean up the mess.
The goal is to attempt to achieve the objective as safely
and with as little impact as possible. However, if you do
pen testing long enough, at some point you will knock
something over (a system may go unresponsive), so
proper Change Management is crucial in order to
account for unexpected results.
19

Enterprise Security / System Integrity

Challenges - continued
Time/Money constraints
Penetration tests are inherently constrained by time
and/or financial resources. For a specific engagement,
scoping of the pen test is crucial to success.
Also to be taken into consideration, is the intensity of
the testing to mimic the hacker level most concerning
(script kiddie, skilled hacker, and elite hacker).

20

Enterprise Security / System Integrity

Challenges - continued
Failure to address Business impact
A good pen test not only validates identified
vulnerabilities, but also discusses the business impact if
the vulnerabilities are exploited.
In addition, there should also be recommendations on
how to effectively remediate those verified
vulnerabilities.

21

Enterprise Security / System Integrity

Takeaways
There are many reasons to conduct a penetration
test:
Compliance: Security standards like PCI require at least
annual penetration testing.
Measuring Risk: This can inform management where
weaknesses are present and the level of risk they
present.
Diligence: Testing to determine if software developed
internally using a Software Development Life Cycle
(SDLC) has met secure development practices and
hasnt presented opportunities to be attacked and
exploited.
22

Enterprise Security / System Integrity

Questions?

23