University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

2.4.1 Internal Penetration Testing

1.1 Readership:
Members of the information security team who are authorized to conduct internal penetration testing.

1.2 Summary:
A Security penetration test is an activity in which a test team (hereafter referred to as Pen Tester) attempts to circumvent the security processes and controls of a computer system. Posing as internal unauthorized intruders, the test team attempts to obtain privileged access, extract information, and demonstrate the ability to manipulate the target computer in unauthorized ways if it had happened outside the scope of the test. Due to the sensitive nature of the testing, specific rules of engagement are necessary to ensure that testing is performed in a manner that minimizes impact on operations while maximizing the usefulness of the test results. This document will provide guidance and formal documentation for the planning, approval, execution and reporting of internal penetration testing.

1.4 Roles and Responsibilities

1.4.1 Director of Information Security shall: a. Be responsible for coordination of the penetration test activities and schedule and notify management of planned activities. 1.4.2 Pen Test Point of Contact (POC) shall: a. Be responsible for the penetration test team and be the primary interface with the Director of Information Security for all penetration test activities. b. Develop the documentation and plans for the penetration test c. Identify and assign roles to the Pen Testers team, identify major milestones for the tasks of the Testers team, identify estimated dates upon which the major milestones will be completed, and indicate the critical path. d. Identify the steps that will be taken to protect the Test Plan, results and final deliverables. e. Coordinate the Information Security Penetration test with Director of Information Security. f. Assure that all pertinent reports, logs, test results, working papers and data related to the penetration tests are being generated and maintained, and are being store appropriately.

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

1.5 Procedure:
1.5.1 Planning for a Penetration Test of University of Cincinnati Site Prior to the start of a penetration test of a UC Site, a Pen Test POC and Pen Tester POC s shall be identified. The Pen Test POC will be the individual responsible for coordination of the penetration test activities and schedules, and notify management of planned activities. The Pen Tester POC will be responsible for the penetration test team and be the primary interface with the Pent Test POC for all penetration test activities. The Pen Tester shall develop the documentation and plans for the penetration test (See Appendices A and B) for the Penetration Test Plan Template). As part of this effort, the Pen Tester shall identify and assign roles to the Pen Testers team, identify major milestones for the tasks of the team, identify estimated dates upon which the major milestones will be completed, and indicate the critical path. The Pen Tester shall also identify the steps that will be taken to protect the Test Plan, results, and final deliverables. 1.5.2 Conducting the Penetration Testing

The Following task shall be performed by the Pen Tester for sites tested:
a. Introductory Briefing a. Introduce key players b. Provide overview of Pen Tester capabilities c. Explain objectives of the penetration test d. Review resources, logistics and schedule requirements e. Schedule technical and administrative face to face meetings b. Executive In-Briefing a. Introduce Pen Tester and key penetration testing staff b. Review objectives of the penetration test c. Review selected target systems d. Review plan and schedule for activities e. Address issues and concerns f. The Penetration Testing Plan and Rules of Engagement shall be signed by all parties prior to the start of testing activities. c. For Internal Penetration Testing a. Plan and schedule b. Conduct penetration testing with team (reconnaissance, exploitation of vulnerabilities, intrusion, compromise, analysis and recommendations.

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

d. Analysis of Data and Findings (off-site) a. Correlate data and findings from discoveries and reviews b. Analyze results from penetration testing c. Compare requirements with industry standards d. Document findings and prioritize recommended corrective actions with references to industry standards and requirements e. Provide briefing of findings, recommendations, and associated impacts, to Director of Information Security and the Assistant Vice President of Information Security and Special Projects e. Completion-Briefing a. Summarize findings b. Present final reports c. Discuss internal penetration testing results d. Discuss evaluation of test sitess IT security program and management structure. e. Discuss overall recommendations

1.5.3 The Pen Tester shall remove all data related to the IT Security Penetration test for each site from the Pen Testers computer(s) by a method approved by the UC Information Security Director. All documents, data logs/files, test results and working papers generated by the Pen Tester for the IT Security Penetration test at each site shall not be retained by the Pen Tester and shall be provided to UC, become the property of UC, and be retained by the UC Information Security Director. 2.0 Approval

__________________________ Date Director of Information Security

_______________________

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

3. Planning

Refer to the Penetration Test Plan Template (Appendix A, B)

4. Approval

Submit Internal Penetration Approval Form

5. Execution Initial reconnaissance Build up an understanding of the company or organization. This will include interrogating public domain sources such as whois records, finding IP ranges, ISPs, contact names, DNS records, website crawling etc. Service determination The collection of IP addresses enables the investigation of available services. Scans for known vulnerabilities can also be performed using tools such as nessus or ISS. If firewalls are found, attempts will be made to determine the firewall type. Note that most attacks are not against firewalls, rather through the firewalls at the servers behind (see my previous article on Web application security, (Network Security, August edition). Enumeration The operating system and applications are identified. Banner grabbing, IP fingerprinting, mail bouncing should reveal servers. Usernames, exports, shares etc. are also determined if possible. Gain access Once the testers have more knowledge on the systems, relevant vulnerability information will be researched or new vulnerabilities found in order to (hopefully) give some level of access to the systems. Privilege escalation If an initial foothold can be gained on any of the systems being tested, the next step will be to gain as much privilege as possible i.e. NT Administrator or UNIX root privileges. This system can then be used as a launch pad for attacks against systems deeper into the network.

6. Reporting

Submit complete report using Internal Penetration Report Template for review then final report for summarized findings.

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

7.

Internal Penetration Report Template

Introduction
Date carried out Testing Team details
1. Name 2. Contact Nos. 3. Relevant Experience if required.

Network Details
Peer to Peer, Client-Server, Domain Model, Active Directory integrated Number of Servers and workstations Operating System Details Major Software Applications Hardware configuration and setup Interconnectivity and by what means i.e. T1, Satellite, Wide Area Network, Lease Line Dial up etc. 7. Encryption/ VPN's utilized etc. 8. Role of the network or system 1. 2. 3. 4. 5. 6.

Scope of test
1. Constraints and limitations imposed on the team i.e. Out of scope items, hardware, IP addresses. 2. Constraints, limitations or problems encountered by the team during the actual test 3. Purpose of Test

Deployment of new software release etc. Security assurance for the Code of Connection Interconnectivity issues.

4. Type of Test

Compliance Test Vulnerability Assessment Penetration Test

5. Test Type

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

White-Box The testing team has complete carte blanche access to the testing network and has been supplied with network diagrams, hardware, operating system and application details etc, prior to a test being carried out. This does not equate to a truly blind test but can speed up the process a great deal and leads to a more accurate results being obtained. The amount of prior knowledge leads to a test targeting specific operating systems, applications and network devices that reside on the network rather than spending time enumerating what could possibly be on the network. This type of test equates to a situation whereby an attacker may have complete knowledge of the internal network. Black-Box No prior knowledge of a company network is known. In essence an example of this is when an external web based test is to be carried out and only the details of a website URL or IP address is supplied to the testing team. It would be their role to attempt to break into the company website/ network. This would equate to an external attack carried out by a malicious hacker. Grey-Box The testing team would simulate an attack that could be carried out by a disgruntled, disaffected staff member. The testing team would be supplied with appropriate user level privileges and a user account and access permitted to the internal network by relaxation of specific security policies present on the network i.e. port level security.

1. Executive Summary (Brief and Non-technical)

OS Security issues discovered with appropriate criticality level specified

Exploited Causes Hardware failing Software failing Human error Unable to exploit - problem area Causes Hardware failing Software failing Human error

Application Security issues discovered with appropriate criticality level specified

Exploited 6

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

Unable to exploit - problem area

Physical Security issues discovered with appropriate criticality level specified

Exploited Unable to exploit - problem area

Personnel Security issues discovered with appropriate criticality level specified

Exploited Unable to exploit - problem area

General Security issues discovered with appropriate criticality level specified

Exploited Unable to exploit - problem area

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

8.

Internal Penetration Testing Request Form:

Name: ______________________________Date:____________ Operation Summary
Background What is proposed? Why should the operation be implemented?

The Value of The Operation To The Department

Benefits expected from the operation
Investment required and ongoing cost to the Department

How The Operation Will Be Implemented

Plan for preparation phase Plan for delivery phase

RISKS AND UNCERTAINTIES

Authorization Authority Director OIS AVP OIS/Special Projects CIO

Approved (initial)

Disapproved(initial)

Reason (if applicable)

date

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

9.

Appendix A Penetration Test Plan 1

1. Planning and Enumeration (provide a short narrative discussion of the activities associated with each of the following) a. Identify Scope and Goals of the Exercise b. Enumerate the Boundary of the Testing c. Develop Rules of Engagement i. Conduct penetration testing on site (reconnaissance, exploitation of vulnerabilities, intrusion, compromise, analysis and recommendations) ii. When a vulnerability is exploited, describe the actions to be taken such as: issuing a Stop Report stopper further exploiting of the system unless approved. iii. How findings, risk impacts, and recommended corrective actions will be reported: such; daily and weekly reports unless finding is high risk which will be reported immediately iv. Conduct technical presentation to system administrators on test findings, methods, and approaches. 2. Vulnerability Analysis (provide a short narrative discussion of the activities associated with each of the following) a. Identify Targets b. Identify Potential Vulnerabilities c. Perform Vulnerability Scans d. Buffer overflows e. Improperly configured network services f. Improperly configured trust relationships g. Insecure authentication mechanisms h. Outdated network services that have known vulnerabilities i. Apply enumeration data in searching vulnerable databases j. Perform manual test k. Password guessing l. IP spoofing m. Social engineering n. Manipulating routing tables o. Identification and usage of modems and wireless access points as an attack vector for entry into the UC network.

Section 2 Risk Management

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

3. Penetration testing (provide a short narrative discussion of the activities associated with each of the following) a. Research and develop attack scenarios b. Execute attacks c. Record results d. Report exploitable vulnerabilities e. Analyze penetration testing results and if indicated, perform additional exercises. f. Recommend countermeasures.

___________________________
Penetration Tester POC

___________________________
Director of Information Security

Section 2 Risk Management

10

University of Cincinnati Office of Information Security

Standard Operating Procedure 2.4.1 Internal Penetration Testing

10.

Appendix (B)

Penetration Test Plan 2

vulnerability-assessm ent-and-penetration-testing-plan-templates.pdf

Section 2 Risk Management

11