Professional Documents
Culture Documents
Penetration Testing
Explained
Definition
Purpose
Connection to Vulnerabilities/Exploits
Types of Pen Tests
Outcomes
Regulatory Requirements
Risk Profile determination
Challenges
Takeaways
2
Client-Side test
Designed to find exploit client-side software, such as browsers, media players, doc editing programs, etc.
Looks for modems in the target environment and includes password guessing to attempt connecting.
Targets the physical environment to find unauthorized wireless access points or insecure access points.
Attempts to dupe a user into revealing sensitive information or clicking on a malicious link in an email.
2. Reconnaissance
The tester would attempt to gather as much information as possible about the
selected network. Reconnaissance can take two forms i.e. active and passive.
A passive attack is always the best starting point as this would normally defeat
intrusion detection systems and other forms of protection etc. afforded to the
network. This would usually involve trying to discover publicly available
information by utilizing a web browser and visiting newsgroups etc. An active
form would be more intrusive and may show up in audit logs and may take the
form of an attempted DNS zone transfer or a social engineering type of attack.
10
4. Exploitation
By use of published exploits or weaknesses found in applications, operating
system and services, access would then be attempted. This may be done
surreptitiously or by more brute force methods. An example of this would be the
use of exploit engines i.e. Metasploit or password cracking tools such as John
the Ripper.
11
12
13
14
15
16
Challenges
Bad (RCPT) vs. Good Pen Testing
Really Crappy Pen Test (RCPT) - not thoroughly testing
all attributes of the attack surface, or even worse, using
vulnerability scan results and calling it a penetration
test.
A good pen test is comprehensive and looks at threat
levels at least equal to those likely to be faced in the
wild and performs testing at that level.
17
Challenges - continued
Skill level
Real pen testers are highly skilled professional, usually
certified to show competency, use formalized
methodology, and respect the business requirements of
the company.
They view pen testing as a logical, analytical process. It
is not just the output product of an automated scanner
(like the ones discussed earlier).
18
Challenges - continued
Potential adverse impacts
The goal of a penetration test is not
to just cause all sorts of damage and
expect that someone else gets to
clean up the mess.
The goal is to attempt to achieve the objective as safely
and with as little impact as possible. However, if you do
pen testing long enough, at some point you will knock
something over (a system may go unresponsive), so
proper Change Management is crucial in order to
account for unexpected results.
19
Challenges - continued
Time/Money constraints
Penetration tests are inherently constrained by time
and/or financial resources. For a specific engagement,
scoping of the pen test is crucial to success.
Also to be taken into consideration, is the intensity of
the testing to mimic the hacker level most concerning
(script kiddie, skilled hacker, and elite hacker).
20
Challenges - continued
Failure to address Business impact
A good pen test not only validates identified
vulnerabilities, but also discusses the business impact if
the vulnerabilities are exploited.
In addition, there should also be recommendations on
how to effectively remediate those verified
vulnerabilities.
21
Takeaways
There are many reasons to conduct a penetration
test:
Compliance: Security standards like PCI require at least
annual penetration testing.
Measuring Risk: This can inform management where
weaknesses are present and the level of risk they
present.
Diligence: Testing to determine if software developed
internally using a Software Development Life Cycle
(SDLC) has met secure development practices and
hasnt presented opportunities to be attacked and
exploited.
22
Questions?
23