Академический Документы
Профессиональный Документы
Культура Документы
P E N E T R AT I O
PENETRATION N T E S THOW
TESTING: I N G :A
HO W A R E A L - LASSESSMENT
VULNERABILITY I F E AT TA C K
I D E NIDENTIFIES
T I F I E S SSECURITY
E C U R I T YWEAKNESSES
WEAKNESSES
I N INY OYOUR
U R OORGANISATION
R G A N I S AT I O N
1
Yo u r s p e a k e r s t o d a y :
Michel James
Web Security Consultant P e n e t r a t i o n Te s t i n g S p e c i a l i s t
Penetration Testing
2 Webinar
The Agenda
Pa r t 1 : T h e b a s i c s o f Pe n e t ra t i o n Te s t i n g
Pa r t 2 : Te s t i n g p r o c e d u r e s
Pa r t 3 : Te s t r e p o r t i n g a n d r e m e d i a t i o n
Pa r t 4 : D o I n e e d a Pe n Te s t ?
Penetration Testing
3 Webinar
PART 1
T h e b a s i c s o f a Pe n Te s t
• W h a t i s a P e n e t r a t i o n Te s t ?
• Who are the testers?
• W h y h a v e a P e n e t r a t i o n Te s t ?
• How do I know if I’ve been hacked?
• Automated and manual testing
Penetration Testing
4 Webinar
WHAT IS A PENETRATION TEST?
• Vulnerability assessment
Performed under real-life conditions, following the same procedures as a
hacker.
• Ethical hacking
Controlled via a Scope of Work, not aiming to damage the infrastructure.
The aims
Making IT systems more secure by identifying and tackling security risks at all
levels.
Thorough testing of an IT system by intelligent accredited testers.
Penetration Testing
5 Webinar
WHO ARE THE TESTERS?
Ideally pen test companies should also be ISO 27001 or 9001 certified,
the most widely accepted information security and quality management
systems standards.
Penetration Testing
6 Webinar
WHY HAVE A PENETRATION TEST?
Penetration Testing
7 Webinar
HOW DO I KNOW IF I’VE BEEN HACKED?
You don’t…
Penetration Testing
8 Webinar
AUTOMATED and MANUAL TESTING
Two different and complementary approaches
Penetration Testing
9 Webinar
PART 2
Te s t i n g p r o c e d u r e s
• What is tested?
• How is it tested?
• Ty p e s o f t e s t i n g
• Te s t i n g m e t h o d o l o g y
Penetration Testing
10 Webinar
WHAT IS TESTED?
External
Exploitations remotely/outside of the company
Replicates a malicious external hacker
Internal
Inside malicious attacks – those within the company (staff, contractors…)
Web Apps
Testing platforms, administration security, escalating privileges
Penetration Testing
11 Webinar
WHAT IS TESTED? (cont.)
We also test…
• Mobile Apps
• Code Reviews
• Build Reviews
• Social Engineering
• Voiceover IP (VoIP)
• Network Fabric
• Wireless (not just Wi-Fi)
• 3G
• Radar
• Microwave
• Bluetooth
• Etc.
Penetration Testing
12 Webinar
HOW IS IT TESTED?
Penetration Testing
13 Webinar
HOW IS IT TESTED? (cont.)
• Testing methodology - black box, grey box or white box (more on this in
a moment)
• Testing
Penetration Testing
15 Webinar
TESTING METHODOLOGY
• Passive Reconnaissance
• Fingerprinting
• Vulnerability Discovery
• Exploitation/Verification
• Clean up
Penetration Testing
16 Webinar
PART 3
Te s t R e p o r t i n g
• Re p o r t c o n t e n t
• Delivery of report
Penetration Testing
17 Webinar
REPORTING
1) Management Summary
• Key findings; risk ratings
• Remediation time overview
• Impact on the business
2) Technical Overview
• Technical evaluation
• Damages to system
Penetration Testing
18 Webinar
PART 1: MANAGEMENT SUMMARY
Key findings
Penetration Testing
19 Webinar
PART2: TECHNICAL OVERVIEW
Penetration Testing
20 Webinar
PART 2: TECHNICAL OVERVIEW
Penetration Testing
21 Webinar
PART 2: TECHNICAL OVERVIEW
SQL Injection
• Impact: High
• Risk: High
• Likelihood: High
• Fix Effort: Medium
Penetration Testing
22 Webinar
PART 3: DETAILED TECHNICAL REMEDIATION
Penetration Testing
23 Webinar
DELIVERY OF REPORT
• Secure delivery
• A secure decrypt key is sent to the nominated Point of Contact’s
mobile phone
• A URL link is sent to the previously agreed Point of Contact to
download and decrypt
• Delivery time
• Usually within 2 or 3 days following the testing. The rule of
thumb is: the reporting takes half the time of the testing.
Penetration Testing
24 Webinar
PART 4
D o I n e e d a Pe n Te s t ?
Penetration Testing
25 Webinar
DOES MY ORGANISATION
REQUIRE A PEN TEST?
Penetration Testing
26 Webinar
DOES MY ORGANISATION
REQUIRE A PEN TEST?
• What do I want to test? What is the scope of the test? What do you
agree to test?
Penetration Testing
27 Webinar
DOES MY ORGANISATION
REQUIRE A PEN TEST?
Our recommendations:
• Outsource this service for a better quality and impartiality
• Make sure you have a dedicated expert during the Penetration Test
• After the Penetration test, plan a training session for your employees
Penetration Testing
28 Webinar
Questions & Answers
Penetration Testing
29 Webinar
QUESTIONS AND ANSWERS
Penetration Testing
30 Webinar
Thank you for your attention!
For a free consultation,
• email now:info@SSL247.co.uk
• or call: 0333 920 6345 (London office)
Website: www.SSL247.co.uk/penetrationtesting
With SSL247®, you don’t have to wait to protect your Online Business Continuity
Penetration Testing
31 Webinar