Pen Testing Explained

1

Enterprise Security / System Integrity

Penetration Testing

Explained

Rand Hirt, CISSP, CISA, GPEN

Sr. Security Analyst - Enterprise Security

2


Agenda for Today

• What is Penetration Testing?– Definition

– Purpose

– Connection to Vulnerabilities/Exploits

– Types of Pen Tests

– Outcomes

• Why Pen Test?– Regulatory Requirements

– Risk Profile determination

• How to Pen Test?– Pen Test Methodology

– Reporting

– Penetration Testing Framework and PTES

– Tools - Open Source

– Tools – Commercial

• Challenges

• Takeaways

3


What is Penetration Testing?

Definition

• Definition = the exact meaning of a word. Despite that,

security testing vendors define their services differently using

the same words, often incorrectly.

• Penetration Test = An approach, modeling tactics of real-

world bad guys, to find vulnerabilities - then under controlled

circumstances, exploit those vulnerabilities and determine

business risk.

• Vulnerability Scan (or Security Assessment) = finding

security vulnerabilities, which may or may not be used to get

in or steal data.

Vulnerability (or Security) Assessment ≠ Penetration Test

Penetration test = focus is on actually getting in and/or

stealing data.

4


What is Penetration Testing? – continued

Purpose

• The ultimate goal is discovering flaws so that they can be

remediated (applying patches, reconfiguring systems,

altering the architecture, changing processes, etc.).

Connection of Vulnerabilities/Exploits to Risk

• Threat = an actor or agent that may want to or actually can

cause harm to the targeted organization.

• Vulnerability = flaw that an attacker could use to cause

damage.

• Exploit = the vehicle by which the attacker uses a

vulnerability to cause damage to the target system.

5



Connection to Vulnerabilities/Exploits

How this plays together:

Risk is where threat and vulnerability overlap. That is, we have a

risk when our systems have a vulnerability that a given threat can

attack.

6



Types of Penetration Tests

• Network services test– Most common – finding target systems on a network.

• Client-Side test– Designed to find exploit client-side software, such as browsers, media players, doc editing programs, etc.

• Web Application test– Targets web-based applications in the target environment.

• Remote war dial test– Looks for modems in the target environment and includes password guessing to attempt connecting.

• Wireless security test– Targets the physical environment to find unauthorized wireless access points or insecure access points.

• Social engineering test– Attempts to dupe a user into revealing sensitive information or clicking on a malicious link in an email.

7



Outcomes

To be successful, need to express our pen test findings in both

business and technical terms.

For any given risk, decision makers may conclude that, for

business purposes, they will accept a given risk identified

during a test, rather than mitigate the associated

vulnerability. In the end, it’s a business decision.

8


Why Pen Test?

Regulatory Requirements

Payment Card Industry (PCI) Data Security Standard

(DSS) mandates at least an annual pen test be

performed on the Cardholder Data Environment (CDE),

and/or if significant infrastructure or application

upgrades occur (PCI DSS 11.3).

9


Why Pen Test? - continued

Risk Profile determination

The overall objective is to reduce risk by examining the

company’s actual attack surface.

Attack surface = the sum of all potential attack vectors.

Attack vector = any single parameter (that is also vulnerable) that

can be attacked.

EXAMPLE: Networked services like File Transfer Protocol (FTP),

Internet Message Access Protocol (IMAP) and Simple Mail

Transfer Protocol (SMTP) contain unique parameters, each of

which could be exploited if not adequately protected.

10


How to Pen Test?

Pen Test Methodology

1. Scoping/Planning/Goal– Constraints and limitations imposed on the team i.e. Out of scope items,

hardware, IP addresses.

– Constraints, limitations or problems encountered by the team during the actual

test

2. Reconnaissance– The tester would attempt to gather as much information as possible about the

selected network. Reconnaissance can take two forms i.e. active and passive.

A passive attack is always the best starting point as this would normally defeat

intrusion detection systems and other forms of protection etc. afforded to the

network. This would usually involve trying to discover publicly available

information by utilizing a web browser and visiting newsgroups etc. An active

form would be more intrusive and may show up in audit logs and may take the

form of an attempted DNS zone transfer or a social engineering type of attack.

11


How to Pen Test?- continued


3. Scanning– By use of vulnerability scanners all discovered hosts would be tested for

vulnerabilities. The result would then be analyzed to determine if there any

vulnerabilities that could be exploited to gain access to a target host on a

network.

4. Exploitation– By use of published exploits or weaknesses found in applications, operating

system and services, access would then be attempted. This may be done

surreptitiously or by more brute force methods. An example of this would be

the use of exploit engines i.e. Metasploit or password cracking tools such as

John the Ripper.

12


How to Pen Test? - continued


5. (optional) Covering Tracks– The ability to erase logs that may have detected the testing teams

attempts to access the network should ideally not be possible. These

logs are the first piece of evidence that may prove that a possible

breach of company security has occurred and should be protected at

all costs. An attempt to erase or alter these logs should prove

unsuccessful to ensure that if a malicious attacker did in fact get

access to the network then their every movement would be recorded.

13



Reporting

Reporting is crucial for sharing the findings of the

penetration test. It should not just be a “cut & paste”

process from the tool. It must have some business

impact analysis as well as quantify the business risk of

the findings.

Reports are not for impressing other pen testers. Its for

operations personnel to understand the risks and help

them mitigate the vulnerabilities.

14



Penetration Testing Framework and PTES

• Open-source testing methodologies exist:

– Open Source Security Testing Methodology Manual

(OSSTMM)

– Open Web Application Security Project (OWASP)

– Penetration Testing Framework

(www.vulnerabilityassessment.co.uk/Penetration%20Test.ht

ml)

– Penetration Testing Execution Standard (http://pentest-

standard.org/index.php/Main_Page)

http://www.vulnerabilityassessment.co.uk/Penetration Test.html

http://pentest-standard.org/index.php/Main_Page

15



Tools - Open Source

• Nessus (now commercial version by Tenable Security)

• Metasploit (now owned by Rapid7)

• Backtrack CD (discontinued Linux distro. with open-

source security tools – now Kali Linux)

16



Tools - Commercial

• Immunity CANVAS Pro

• WebInspect - HP SPI Dynamics

• CORE IMPACT & CORE Insight Enterprise

17


Challenges

Bad (RCPT) vs. Good Pen Testing

Really Crappy Pen Test (RCPT) - not thoroughly testing

all attributes of the attack surface, or even worse, using

vulnerability scan results and calling it a penetration

test.

A good pen test is comprehensive and looks at threat

levels at least equal to those likely to be faced in the

wild and performs testing at that level.

18


Challenges - continued

Skill level

Real pen testers are highly skilled professional, usually

certified to show competency, use formalized

methodology, and respect the business requirements of

the company.

They view pen testing as a logical, analytical process. It

is not just the output product of an automated scanner

(like the ones discussed earlier).

19



Potential adverse impacts

The goal of a penetration test is not

to just cause all sorts of damage and

expect that someone else gets to

clean up the mess.

The goal is to attempt to achieve the objective as safely

and with as little impact as possible. However, if you do

pen testing long enough, at some point you will “knock

something over” (a system may go unresponsive), so

proper Change Management is crucial in order to

account for unexpected results.

20



Time/Money constraints

Penetration tests are inherently constrained by time

and/or financial resources. For a specific engagement,

scoping of the pen test is crucial to success.

Also to be taken into consideration, is the intensity of

the testing to mimic the hacker level most concerning

(script kiddie, skilled hacker, and elite hacker).

21



Failure to address Business impact

A good pen test not only validates identified

vulnerabilities, but also discusses the business impact if

the vulnerabilities are exploited.

In addition, there should also be recommendations on

how to effectively remediate those verified

vulnerabilities.

22


Takeaways

There are many reasons to conduct a penetration

test:

• Compliance: Security standards like PCI require at least

annual penetration testing.

• Measuring Risk: This can inform management where

weaknesses are present and the level of risk they

present.

• Diligence: Testing to determine if software developed

internally using a Software Development Life Cycle

(SDLC) has met secure development practices and

hasn’t presented opportunities to be attacked and

exploited.

23


Questions?

Documents

Pen Testing Explained