Assessing a pen tester: Making the right choice when choosing a third party Pen Test Firm

Tom Eston, CISSP, GWAPT

Jason Broz, CIPP/US

Assessing a Pen tester:

Making the right choice when selecting a third party firm

2/12/2014

PRESENTATION

Data Classification: SecureState Proprietary

WEBINAR PRESENTERS

• Jason Broz, CIPP/US• Audit and Compliance Consultant• Previous Positions include

• IT for a Fortune 1000 company• Management and Sales

• Member of IAPP and ISACA

• Tom Eston, CISSP, GWAPT• Manager, Attack and Defense Team• Founder SocialMediaSecurity.com• OWASP Contributor• SANS Community Instructor• International Speaker

• DEFCON, Black Hat USA/Abu Dhabi and many others

WEBINAR GOALS

• Help you better understand Penetration Testing goals and objectives

• Provide clarity on differences

• Elaborate upon differences within the industry

• Answer questions in regard to decision making

QUICK POLL

• Who has recommended a pentest?• Who has purchased a pentest?• Who has performed a pentest?• Who has had to deal with the results

from a pentest? – Who has seen bad report?

WHAT IS A PENETRATION TEST?

WHAT IS PENETRATION TESTING?

“Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers”

~NIST 800-115, http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

• Method of evaluating the security of:o Computer systemso Network Deviceso Web Applicationso Physical Buildings and

Infrastructure• Simulates an intrusive attack by a

malicious attacker

KEY COMPONENTS OF PENETRATION TESTING

• Established methodology• Attack Vectors• Scope established• Trophies or Goals identified• Manual methods used in addition to

tools• Team based

MOST COMMON PENETRATION TESTING

METHODOLOGIES• Penetration Testing firms should follow

one or more of the following methodologies:• PTES (Penetration Testing Execution

Standard)• NIST 800-115• OSSTMM (Open Source Security Testing

Methodology Manual)• OWASP Testing Guide (Open Web

Application Security Project)

PENETRATION TESTS ARE NOT

• Vulnerability Assessments• Simply running an automated tool (e.g., Nessus)

• Manual review of security “controls”• This is an Audit

From a cost perspective, a pentest will cost significantly more than a Vulnerability Assessment because of the manual testing

involved.

• Compliance requirement (PCI)• Told to perform a Penetration Test by

management• Identification of vulnerabilities in your

network that can be exploited• How difficult would it be for a hacker to

compromise valuable data?• Are your defenses working? Test of Incident

Response and Monitoring systems.• Need budget to resolve issues and build the

security program

REASONS FOR PERFORMING A

PENETRATION TEST

• Consumes your entire security budget • Lack of resources to address any issues

that the penetration test might discover• No clear goals defined for the pentest

A penetration test is an excellent way to identify problems, but on its own it cannot fix them.

REASONS NOT TO PERFORM A

PENETRATION TEST

• Incident Response• Is someone monitoring your assets? • How do they respond?

• Security Awareness of Users• Social Engineering• Phishing, Phone Calls

• Alarms, Guards, and Detection• Are physical controls sufficient?

SECONDARY BENEFITS

WHAT DOES ALL THIS MEAN TO YOU?

PENETRATION TESTS WITHIN YOUR

ORGANIZATION• Does your organization need a Penetration Test?

• Why does your organization need to do a Penetration Test?

• What type of Penetration Test do you need?

• What are your goals?• What is the objective?• What is the most valuable data on your

network?• Trophies

WHY DOES YOUR ORGANIZATION NEED A

PENETRATION TEST?• Do you have sensitive data?• Credit Card Numbers• Protected Health Information (PHI)• Personally Identifiable Information (PII)• Proprietary Data

• Regulatory requirement? • Payment Card Industry (PCI or HIPAA)

• Unsure of your defenses?• Need to obtain budget?

WHAT TYPE OF PENETRATION TEST DO

YOU NEED? • Several different types:• External Network• Social Engineering• Internal Network• Wireless Network• Web Application• Physical Security• Full Scope

• Simulates a attacker on the Internet• Passive footprinting• What network ports are exposed?• This type of penetration test should

include brute force attacks

• Most common type of penetration test

• Typically done remotely

EXTERNAL NETWORK

• Targets people, processes and awareness• Phishing• Spear Phishing• Phone Calls• USB/Thumb Drive Drops

• Often paired with other assessments

SOCIAL ENGINEERING

Social Engineering attacks typically have a VERY high success rate.

• Simulates someone gaining access to your internal network• Contractor, malicious employee,

backdoor malware

• What internal resources can we penetrate?• Critical servers, PCI data, etc.

• Can be paired with wireless and physical assessments

INTERNAL NETWORK

• Focused on attacking wireless networks

• Tests encryption strength, authentication

• How far can someone see the wireless network?• Can someone connect from a far

distance?

• War Driving

WIRELESS NETWORK

• Three types of Web Application Penetration Tests• Black Box• No previous knowledge

• Grey Box• User credentials provided, user role and

business logic testing

• White Box• Code review

WEB APPLICATION

• Assess the physical security of a facility or location• Human Safety• Confidentiality• Integrity• Availability

• How can someone access your facility?• Tailgating, lock picking, alarm bypass• Social engineering

PHYSICAL SECURITY

• A good Penetration Test should focus on attacking the core business and its processes

• Need to understand how sensitive data traverses your network• What it touches• Where it is stored• How it is transmitted

• Are there other things that you would like to assess? • Secondary considerations

DETERMINING SCOPE

• Regulatory Requirements• PCI requires all systems on a segment to be

tested

• Don’t lose value in what you purchased!• Limiting scope • Determine Trophies

DETERMINING SCOPE

• Define operational restraints • Assessment timeframe

• Outside of business hours• During business hours

• Need to know• Test of Incident Response• Notify only those with a business need• Penetration Testing firm needs to provide IP

addresses and contact information of the consultant performing the engagement!

• Ask for a Project Charter

OTHER SCOPE CONSIDERATIONS

WHAT DO YOU DO NOW?

WHAT TO LOOK FOR WHEN OBTAINING A THIRD PARTY FIRM

• Methodology• Tools• Goals• Results• Experience• Certifications

METHODOLOGY

• A penetration test methodology needs to follow:• Reconnaissance • Enumeration • Exploitation • Post Exploitation• Pilfering• Clean up and Reporting

METHODOLOGY

• Reconnaissance • Initial information gathering• Non-invasive• Goal is to learn everything you can about the

target

• Enumeration • Potential vulnerabilities are initially identified• Can involve the use of vulnerability scanners• Also involves manual interaction

METHODOLOGY

• Exploitation• Attempt to exploit vulnerabilities • Tools like Metasploit, Core Impact could be

used• Typically involves manual work including

developing custom exploit code

• Post Exploitation • Attempt to leverage exploited vulnerabilities• Elevating privileges on compromised systems• Potential for leveraging trust relationships

between systems

METHODOLOGY

• Pilfering• Attempt to obtain “trophies” and other

sensitive data• Defined in the scope• Penetration testers use password hashes,

encryption keys and user lists to gain access to data (to name a few)

• Clean up and Reporting• The penetration tester should always clean up

after themselves!• Remove files left by the tester, traces of

access• Reporting is the most important phase!

• They only plan to use a vulnerability scanner such as Nessus

• They only plan to use a commercial exploitation tool such as Core Impact or Canvas

• The report is raw output from any of these tools

WARNING SIGNS

33Data Classification: SecureState Proprietary

• Limiting the scope of the test• Making changes while the test is being

performed• Using under-skilled penetration testers• Calling a Vulnerability Scan a Penetration

COMMON MISTAKES IN PENETRATION TESTS

• A common misconception is that a pentest is nothing more than running the Nessus scanner

• A vulnerability scanner casts a very wide net, and makes a lot of noise

• Penetration tests are focused, and often quiet

• Many penetration testers don’t use a vulnerability scanner at all during their testing

VULNERABILITY SCANNERS

• Does not identify dangerous trust relationships between components

• Vulnerability scans contain false positives• Not an accurate picture of security• If PCI is a concern, both pentesting and

Vulnerability Scans are needed for a Report on Compliance

• Attackers will take advantage of chained vulnerabilities to obtain access• Vulnerability Linkage

WHY A VULNERABILITY SCANNER IS NOT

ENOUGH

• It’s not uncommon for several lower severity vulnerabilities to be chained together to allow an attacker to compromise something of high value

• Demonstrating where this can be done is one of the most valuable things a pentest can provide you

• The Penetration Testing firm needs to provide detailed explanation of any of these situations

CHAINED VULNERABILITIES

• Covers all relevant attack vectors not defined by IP ranges

• Should be goal based• Clearly shows vulnerable assets that can

be compromised• Tests the system as a whole, including

existing defense mechanisms• Your goals and objectives• Definitive end to the project

WHAT IS A “GOOD”PENETRATION TEST

• Output typically includes some kind of report• Should not only be raw data or tool report• Discusses high level and detailed findings

• Needs an Executive Summary!

• Ask for information on all of the vulnerabilities that were found

• If the penetration tester got to a trophy, you want to know exactly how they got there. • Usually a chain of several vulnerabilities

• Penetration Tester should provide screen shots, tool logs and other data upon request

RESULTS

• After the Penetration Test has been completed, the organization will have a better understanding of the areas that need to be hardened within the infrastructure

• Mitigate the high risk vulnerabilities to lower your chances of a breach

• Follow security principles (defense in depth) to improve security after remediation

RESULTS: NEXT STEPS

• Assessing the skills and experience of a penetration testing firm can be difficult, a few items to look for:• How long have they been doing penetration

testing?• Have they written any pentesting tools?• Have they presented on pentesting at large

pentest events (SANS, DEFCON, Shmoocon, BlackHat, DerbyCon)?

• Do they have any pentest certifications (OSCP, GPEN, GWAPT)?• Some certifications like CEH are less credible!

EXPERIENCE

• OSCP (Offensive Security Certified Professional) • Most technical, most challenging penetration

testing certification

• SANS GPEN (GIAC Certified Penetration Tester) • Covers methodology and reporting in addition

to hands on technical skills

CERTIFICATIONS

• SANS GWAPT (GIAC Web Application Penetration Tester) • Similar to GPEN, but focuses on web apps

• Social-Engineer, Inc. – Social Engineering Pentest Professional (SEPP)• Up and coming certification for Social

Engineering, highly respected in the security community

CERTIFICATIONS

• CISSP, CISA, CCIE Security, Security+, or the many other SANS certs are helpful

• However, these other certifications are not meant to certify the individual as a penetration tester

You don’t hire an OSCP to do a PCI audit, and you don’t hire a QSA to do a pentest

CERTIFICATIONS

PCI CONSIDERATIONS

• PCI DSS 3.0 is modifying requirements for Penetration Testing• Verification of methodology based on industry

accepted best practices• Validates segmentation and scope reduction

controls• Includes review and consideration of threats

and vulnerabilities experienced in the last 12 months

• Specifies retention of penetration testing results and remediation activities results

• Vulnerabilities are corrected and testing repeated

• We have provided a worksheet which covers some of the criteria discussed

• Feel free to use this when you find yourself dealing with penetration testers and firms that offer penetration testing

• A copy can be found online as well at http://engage.securestate.com/pentest-assessment-worksheet

WORKSHEET

QUESTIONS?

CONTACT INFO

Thank you for your time!

Tom Eston- teston@securestate.comTwitter: agent0x0

Jason Broz- jbroz@securestate.comTwitter: jbroz67

Assessing a pen tester: Making the right choice when choosing a third party Pen Test Firm

Business

Be a better Tester, Be a Beta Tester

#BLACKALPS17 · Managing consultant at Defendza Pen Tester/Security Consulting Tweets are welcome @digitalamli #BlackAlps17 Hacktivity, BlackAlps ☺, Bsides, BlackHat USA 2015 Sometimes

29 2 · Evidental Breath Alcohol Tester Evidental Breath Alcohol Tester Evidental Breath Alcohol Tester Evidental Breath Alcohol Tester

Using Deception Technology to Close Your Detection Gaps...test. § Pen tester compromised an endpoint, stole deceptive credentials, and engaged with deception solution decoy, thinking

Hallmarks of a Great Tester - The Braidy Tester

Certified Tester Foundation Level Syllabus Usability Tester

Martindale Electric Metrohm Flash Testers & Insulation Testers - MET7A501 Safety Insulation Tester, METE3640 4kV Flash Tester, METE3511 5kV Flash Tester, METE1612 Earth Tester, METE1622

Tester Smart – Tester Smart

Soeks Nitate Tester, Food Tester - Radiation News

ST Series Pen Meter Instruction Manual - Hogentogler · ST Series Pen Meter Instruction Manual Thank you for choosing OHAUS waterproof pen meters. Please read the manual completely

Universitas Padjadjaran · 2017-12-07 · Dr. Dewi Marhaeni Diah Herawati, drg., M.Si. Ketua Sidan Pen u'i Pen u i Pen Wi Pen u'i Ketua Sidan Pen Wi Pen u'i Pen u'i Pen Wi Ketua Sidan

Safety Tester/Hipot Tester - tonghui.com.cn · Safety Tester/Hipot Tester D. TH9320-S4/TH9320-S8 AC/DC Withstanding Voltage & Insulation Resistance Tester Features Output voltage:

ST Series Pen Meter Instruction Manual - Yahoo...ST Series Pen Meter Instruction Manual Thank you for choosing OHAUS waterproof pen meters. Please read the manual completely before

The challenge of finding the right penetration tester Choosing the ...€¦ · penetration testing protects your organisation against security breaches and prevents sensitive data

763-6 Pen Turners Workbook 3rd Edition P1 - Fine …€¦ · · 2015-08-26Pen Turner’s Workbook is an original work, first published in 2003, ... From choosing a lathe to pen

Becoming a better pen tester overview

The tester is dead, long live the tester. A vision on the tester by Beersma & Bits

Cold tester - 平田機工株式会社 · 3 ----- Cold tester Features 4 ----- Cold tester Features 5 ----- Cold tester Features NVH 6 ----- Cold tester Features ID 7 ----- Cold tester

Hardness testing of metals (Leeb) - Precimer Kft · PDF file07 Hardness testing of metals (Leeb) ... table-top devices and testing devices with ... “Pen type” Leeb hardness tester

Step 1 Step 2 - Zebra Pen | Find Zen In Your Pen · Step 3 Write your words with Zebra Metallic Brush Pens. Chose as many colors as you’d like. Recommend choosing 3 or 4 colors