Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

What are the goals of a Penetration Test?

advertisement 
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
Professionalizing Penetration Testing
Professionalizing
Penetration Tests
Professionalizing
Penetration Tests
What will we discuss today?
Agenda
 The Penetration Test
– What is it?
– How is it done?
 Problems in the current practice
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
– Why do we need an improved approach?
 Practical demonstration
Professionalizing
Penetration Tests
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
What is a Penetration Test?
 Rationale:
“Improving the security of your site by breaking into it”
Dan Farmer & Wietse Venema, 1993
http://www.fish.com/security/admin-guide-to-cracking.html
 A plausible definition:
A localized and time-constrained attempt to breach
the information security architecture using an
attacker’s techniques
Professionalizing
Penetration Tests
What are the goals of a Penetration Test?
Goals
 To improve Information Security awareness
 To assess risk
 To mitigate risk immediately
 To reinforce the Information Security process
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 To assist in decision making processes
 To test the accuracy of the security policy in place
Professionalizing
Penetration Tests
What are the final results?
Final Results
 Clear description of scope and methodology
 Reproducible and accountable process
 High-level analysis and explanation (for
upper/non-technical management)
 General recommendations and conclusions
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 Detailed findings
Professionalizing
Penetration Tests
Why do we care?
Growing Importance
 Penetration tests have become an integral part of
standard security process
 Governments beginning to mandate periodic
tests for certain agencies
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 Demand is rapidly increasing, and the process
needs to be able to keep up
Professionalizing
Penetration Tests
How are Penetration Tests done today?
Penetration Test Stages
Information Gathering
Information Analysis and Planning
Vulnerability Detection
Penetration
Attack/Privilege Escalation
Analysis and Reporting
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
Clean-up
Information
Information Analysis and Vulnerability
Detection
Gathering Planning
Penetration
Attack/
Privilege
Escalation
Analysis
and
Reporting
Clean Up
Professionalizing
Penetration Tests
What works well today, and what does not?
Penetration Test Stages
Information Gathering
Information Analysis and Planning
Vulnerability Detection
Penetration
Attack/Privilege Escalation
Analysis and Reporting
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
Clean-up
Information
Information Analysis and Vulnerability
Detection
Gathering Planning
Penetration
Attack/
Privilege
Escalation
Analysis
and
Reporting
Clean Up
Professionalizing
Penetration Tests
What are the problems today?
Problems with ‘Information Analysis and Planning’ Stage
 Difficult and time consuming task of consolidating all
information gathered and extracting high-level conclusions
to help define attack strategy
 Hard to keep an up to date general overview of the
components and their interaction
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 No specific tools aimed at addressing this phase
 Experienced and knowledgeable resources required for this
stage, overall time constraint could limit the extent of their
work
Professionalizing
Penetration Tests
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
What are the problems today? (cont.)
Problems with ‘Penetration’ Stage

Some tools available, but generally require customization and
testing

Publicly available exploits are generally unreliable and require
customization and testing

In-house developed exploits are generally aimed at specific tasks
or engagements (mostly due to time constraints)

Knowledge and specialization required for exploit and tool
development

Considerable lab infrastructure required for successful research,
development and testing (platforms, OS flavors, OS versions,
applications, networking equipment, etc.)
Professionalizing
Penetration Tests
What are the problems today? (cont.)
Problems with ‘Attack/Privilege Escalation’ Stage

Some tools and exploits available, but usually require
customization and testing (local host exploits, backdoors, sniffers,
etc.)

Monotonous and time consuming task: setting up the new
“acquired” vantage point (installing software and tools, compiling
for the new platforms, taking into account configuration specific
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
details, etc.)

Considerable lab infrastructure required for research,
development, customization and testing

Lack of a security architecture for the Penetration Test itself
Professionalizing
Penetration Tests
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
What are the problems today? (cont.)
Problems with ‘Analysis and Reporting’ Stage
 Manually gathering and consolidating all the log information
from all phases is time consuming, boring and prone to error
 Logging of actions is left up to the team members, does not
ensure compliance
 Organizing the information in a format suitable for analysis and
extraction of high level conclusions and recommendations is
not trivial
 Writing of final reports often considered the boring leftovers of
the Penetration Test, security expertise and experience is
required to ensure quality but such resources could be better
assigned to more promising endeavors
 No specialized tools dedicated to cover these issues
Professionalizing
Penetration Tests
What are the problems today? (cont.)
Problems with ‘Clean Up’ Stage
 Requires detailed and exact list of all actions performed, but
logging of actions still manual
 Clean up of compromised hosts must be done securely and
without affecting normal operations (if possible)
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 The clean up process should be verifiable and non-repudiable,
the current practice does not address this problem.
 Clean up often left as a backup restore job for the Penetration
Test customer, affecting normal operations and IT resources
Professionalizing
Penetration Tests
So what does all that mean?
 Inefficient due to reliance on disparate software packages and
manual performance of tedious tasks
 Informal and non-standardized
 Difficult for companies to define and enforce their own
methodology
 Inconsistent in execution
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 Error-prone and sometimes NOT secure due to manual
logging and clean-up
 Difficult to centralize and share experience/knowledge across
the firm
 Expensive due to a steep learning curve and laborintensiveness
 Not very scalable
New tools are needed to improve the process
Professionalizing
Penetration Tests
One possible solution to these problems: CORE IMPACT
CORE IMPACT
 Provides a framework for Penetration Testing
 Increases productivity
 Builds knowledge and security expertise
 Provides an open and extensible architecture
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 Brings the practice to a new quality standard
Professionalizing
Penetration Tests
How does CORE IMPACT work?
 The Model:
–
–
–
Simplifies and abstracts all the components of the system and their relations
Provides a foundation on which to build
Provides a common language
 Agents - “The pivoting point” or “the vantage point”
–
The context in which Modules are run
–
Installable on any host
–
Secure
–
Remotely control other Agents
–
Easy clean up
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
 Modules - “Any executable task”
–
Information gathering, attacks, reporting, scripting of other Modules
–
Simple and easy to extend
–
Have access to every tool together, under the same framework
Professionalizing
Penetration Tests
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
What are the benefits?

Provides a framework that encompasses all the Penetration Testing
phases
– Enables customers to define and standardize own methodology
– Enforces the following of their methodology and ensures quality

Drastically reduces time required to perform a Penetration Test
– Agent/Module architecture simplifies target penetration and
privilege escalation
– Automates monotonous and time-consuming tasks
– Frees valuable resources to focus on most important and difficult
phases

Improves the security of the Penetration Testing practice
– Reduces errors, particularly in the clean-up stage
– Strong authentication and encryption between console and Agents

Enables knowledge acquisition and shared learning
– Entity Database consolidates all work done for future reference and
use

Makes the Penetration Testing practice more professional and scalable
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
Professionalizing
Penetration Tests
IMPACT DEMO
Pen Tester
Console
INTERNET
DMZ
Back Office Network
Professionalizing
Penetration Tests
CORE SECURITY TECHNOLOGIES
© 2002  http://www.corest.com
CONTACT INFORMATION
Jeffrey Cassidy
Director of Business Development, USA
jeffrey.cassidy@corest.com
44 Wall Street
New York, NY 10005
Tel: (212) 461-2345
Fax: (212) 461-2346
info.usa@corest.com
USA
Related documents
Unit 1.17 - Ansoff Matrix
Unit 1.17 - Ansoff Matrix
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
Managing the Risks of Business Growth
Managing the Risks of Business Growth
Penetration testing slides
Penetration testing slides
African Telecoms - Mobile Africa Revisited
African Telecoms - Mobile Africa Revisited
Download
advertisement