Thursday 25th February 2016

P E N E T R AT I O
PENETRATION N T E S THOW
TESTING: I N G :A
HO W A R E A L - LASSESSMENT
VULNERABILITY I F E AT TA C K
I D E NIDENTIFIES
T I F I E S SSECURITY
E C U R I T YWEAKNESSES
WEAKNESSES
I N INY OYOUR
U R OORGANISATION
R G A N I S AT I O N

1
 Yo u r s p e a k e r s t o d a y :

Michel James
Web Security Consultant P e n e t r a t i o n Te s t i n g S p e c i a l i s t

Penetration Testing
2 Webinar
 The Agenda

Pa r t 1 : T h e b a s i c s o f Pe n e t ra t i o n Te s t i n g

Pa r t 2 : Te s t i n g p r o c e d u r e s

Pa r t 3 : Te s t r e p o r t i n g a n d r e m e d i a t i o n

Pa r t 4 : D o I n e e d a Pe n Te s t ?

Penetration Testing
3 Webinar
 PART 1
T h e b a s i c s o f a Pe n Te s t

• W h a t i s a P e n e t r a t i o n Te s t ?
• Who are the testers?
• W h y h a v e a P e n e t r a t i o n Te s t ?
• How do I know if I’ve been hacked?
• Automated and manual testing

Penetration Testing
4 Webinar
 WHAT IS A PENETRATION TEST?

• Vulnerability assessment
Performed under real-life conditions, following the same procedures as a
hacker.

• Ethical hacking
Controlled via a Scope of Work, not aiming to damage the infrastructure.

The aims
 Making IT systems more secure by identifying and tackling security risks at all
levels.
 Thorough testing of an IT system by intelligent accredited testers.

Penetration Testing
5 Webinar
 WHO ARE THE TESTERS?

A variety of accreditations for penetration testers:

• CHECK
• High standards set by CESG (The Communications-Electronics
Security Group) in association with GCHQ
• necessary for assessing public sector bodies
• CREST
• CBEST

These involve a theory exam + practical exam

Ideally pen test companies should also be ISO 27001 or 9001 certified,
the most widely accepted information security and quality management
systems standards.

Penetration Testing
6 Webinar
 WHY HAVE A PENETRATION TEST?

Financial and reputational Due Diligence/

impact Good practice

Accreditation Compliance Responsibility to clients

Supplying to the government and staff
may require a PenTest Maintain trust

Penetration Testing
7 Webinar
 HOW DO I KNOW IF I’VE BEEN HACKED?

You don’t…

• A Penetration Test would identify this

• There may be some signs

The dangers of a hack:

• The cost and reputational damage can be substantial
• Lost data cannot always be recovered

Penetration Testing
8 Webinar
 AUTOMATED and MANUAL TESTING
Two different and complementary approaches

Automated tests Manual tests

(Penetration tests)

• Run continuously • Proactively accesses vulnerabilities

• Algorithms work at great speed • Human interaction

• Uses a variety of tools and techniques

• Cost-effective solution
• Tester expertise

Together penetration testing and vulnerability scanning are powerful tools.

Penetration Testing
9 Webinar
 PART 2
Te s t i n g p r o c e d u r e s

• What is tested?
• How is it tested?
• Ty p e s o f t e s t i n g
• Te s t i n g m e t h o d o l o g y

Penetration Testing
10 Webinar
 WHAT IS TESTED?

External
Exploitations remotely/outside of the company
Replicates a malicious external hacker

Internal
Inside malicious attacks – those within the company (staff, contractors…)

Web Apps
Testing platforms, administration security, escalating privileges

Penetration Testing
11 Webinar
 WHAT IS TESTED? (cont.)

We also test…
• Mobile Apps
• Code Reviews
• Build Reviews
• Social Engineering
• Voiceover IP (VoIP)
• Network Fabric
• Wireless (not just Wi-Fi)
• 3G
• Radar
• Microwave
• Bluetooth
• Etc.

Penetration Testing
12 Webinar
 HOW IS IT TESTED?

• Initial scoping meeting/questionnaire

• A trained specialist & the client’s technical point of contact

established

• Everything is agreed beforehand

• Full proposal including:

• Scope of work
• Testing strategy
• Methodology - based on CESG CHECK standards
• Sample reporting methods
• Suggested tools to be used

Penetration Testing
13 Webinar
 HOW IS IT TESTED? (cont.)

• Testing is non-invasive and planned via the agreed scope of work.

• No Denial of Service - DoS attacks attempted.

• Testing methodology - black box, grey box or white box (more on this in
a moment)

• Open source public discovery exercise – see what information is available

that might be used by a malicious hacker planning an attack

• Testing

• Overall rating of test and individual vulnerabilities

• Clean up – to ensure no disruption to service. All attacks will be

removed from the server to ensure no backdoors have been left
Penetration Testing
14 Webinar
 TYPES OF TESTING

Black box White box Grey box

No information All information Some information

provided pre-test provided pre-test provided pre-test

• Most realistic type of test • Knowledge of • Partial information

• Simulates a real-life internals of target such as IP addresses,
‘blind’ hacking scenario system low-level user
• Information such as credentials
network diagrams, log • Attempts to escalate
in credentials… access levels
• Precise and thorough
testing
• Simulates an inside
job/leak of sensitive
information

Penetration Testing
15 Webinar
 TESTING METHODOLOGY

• Passive Reconnaissance

• Fingerprinting

• Vulnerability Discovery

• Exploitation/Verification

• Clean up

Penetration Testing
16 Webinar
 PART 3
Te s t R e p o r t i n g

• Re p o r t c o n t e n t
• Delivery of report

Penetration Testing
17 Webinar
 REPORTING

Reports are produced in 3 parts:

1) Management Summary
• Key findings; risk ratings
• Remediation time overview
• Impact on the business

2) Technical Overview
• Technical evaluation
• Damages to system

3) Detailed Technical Remediation

Penetration Testing
18 Webinar
 PART 1: MANAGEMENT SUMMARY

Key findings

The following list summarises the main issues of the assessment

• Password policy was found to be inadequate

• Patches out-of-date
• Ports left open
• Login page vulnerable to cross-site scripting and SQL injection attack
• Might result in Man-in-the-middle attack

Penetration Testing
19 Webinar
 PART2: TECHNICAL OVERVIEW

Risk Effort Table (example)

‘In total, 29 vulnerabilities have been identified and documented.’

Penetration Testing
20 Webinar
 PART 2: TECHNICAL OVERVIEW

Each recommendation or fix has been assigned an effort rating which

estimates how much remedial work will be required to address the item.

Low: up to 1 man-day of effort

Moderate: up to 10 man-days of effort
High: over 10 man-days of effort

Penetration Testing
21 Webinar
 PART 2: TECHNICAL OVERVIEW

Detailed Summary and Risk Rating (example)

SQL Injection
• Impact: High
• Risk: High
• Likelihood: High
• Fix Effort: Medium

Penetration Testing
22 Webinar
 PART 3: DETAILED TECHNICAL REMEDIATION

Intended for technical personnel responsible for remediation

• Description of the vulnerability

• How the issue was found
• How it was exploited
• Screen grabs (where appropriate)
• Detailed fixes for remediation

Internal technical and grammatical QA

Penetration Testing
23 Webinar
 DELIVERY OF REPORT

• Secure delivery
• A secure decrypt key is sent to the nominated Point of Contact’s
mobile phone
• A URL link is sent to the previously agreed Point of Contact to
download and decrypt
• Delivery time
• Usually within 2 or 3 days following the testing. The rule of
thumb is: the reporting takes half the time of the testing.
Penetration Testing
24 Webinar
 PART 4
D o I n e e d a Pe n Te s t ?

Penetration Testing
25 Webinar
 DOES MY ORGANISATION
REQUIRE A PEN TEST?

• Every business, no matter how small or large, stands to gain from

a PenTest
 A PenTest should be tailored to the requirements of your
business

• If your organisation has a quality accreditation, such as ISO 27001,

regular testing is recommended in order to retain the accreditation

• Some industries handle sensitive data (e.g. financial and medical

industries). Regulators require PenTests in those cases

Penetration Testing
26 Webinar
 DOES MY ORGANISATION
REQUIRE A PEN TEST?

List of questions to ask yourself before you commit:

• What is the goal of the Penetration Test for me?

• What do I want to test? What is the scope of the test? What do you
agree to test?

• How frequently do I want to run the Penetration testing? When

was the last time you had a pen test?

Penetration Testing
27 Webinar
 DOES MY ORGANISATION
REQUIRE A PEN TEST?
Our recommendations:
• Outsource this service for a better quality and impartiality

• Choose a supplier with respected accreditations and web security

experience

• Make sure the scope of test is agreed on – get a signed

agreement

• Make sure you have a dedicated expert during the Penetration Test

• Get a sample of the Penetration Test report before you commit

• After the Penetration test, plan a training session for your employees

Penetration Testing
28 Webinar
 Questions & Answers

Penetration Testing
29 Webinar
 QUESTIONS AND ANSWERS

Q. Do you know beforehand how long a Pen Test will take?

A. Once we know the scope of work, we will know exactly how long
the Pen Test will take. If it takes any longer, the client will not be
charged.

Q. Once you have identified weaknesses, do you also fix them?

A. No. We don’t do this, because if we fix them we will know how the
system is built, meaning that if we were to undertake another Pen
Test, we would have information an ordinary hacker would not, and
thus the test would not be realistic. However, we will advise as to
how best to fix them, whether you use your IT team or an external
team.

Penetration Testing
30 Webinar
 Thank you for your attention!
For a free consultation,
• email now:info@SSL247.co.uk
• or call: 0333 920 6345 (London office)

Website: www.SSL247.co.uk/penetrationtesting

With SSL247®, you don’t have to wait to protect your Online Business Continuity

Penetration Testing
31 Webinar