1K l u g e B u r c h Z i m m e r l i n g

Kluge Burch Zimmerl ingGRC Advisors

Commodity Services Specification

Penetration Testing & Application Security Assessment

January 2015

2K l u g e B u r c h Z i m m e r l i n g

Content

1. Introduction

2. Assessment Workflow

3. Generic Penetration Testing work program

4. Penetration Testing work program for specific host types

5. Penetration Testing work program for network subnets

6. Application Security Assessment

7. Example Report

3K l u g e B u r c h Z i m m e r l i n g

Introduction

This document outlines the work program defining the Penetration Testing and Application Security Assessment Commodities available at www.dimentis.com.

Method of Testing All assessments are performed remotely over the internet.

Reporting Format The report will be issued in a standardized format as outlines in the appendix.

Assessor and Standards Both services are offered by the Partner Companies indicated on our Website. The assessments are performed by experienced testers and are made in accordance with common standards such as OWASP, NIST and BSI.

4K l u g e B u r c h Z i m m e r l i n g

Workflow

You select and order at KBZ website

Order is forwarded to Assessor

Assessor confirms your order

Assessor provides you with secure means of communication for next steps

Your identity and your ownership of the subject of evaluation are confirmed

You communicate the IP addresses of the systems to be tested

Assessor agrees with you the details of the testing such as the time of execution

Assessor performs tests

Assessor provides report via the secure means of communication

ConfirmationOrderDefine Subject of

EvaluationExecution Reporting

1 dayInstantly 1 day 3 days 2 days

Timeline

NB. “day” means working day, Mo-Fr

Penetration TestingSingle Hosts

6K l u g e B u r c h Z i m m e r l i n g

Penetration Testing – Generic Assessment Program

Phase No Objective Testing Steps

1 Information Gathering (I)(According to NIST, BSI)

Research information about the target system.Method: Search Engines, Forums, Tools e.g. Dig, Nslookup

2 Information Gathering (II) Scan target systems and their ports to detect services they offer.Method: Nmap, Hping, other Portscanners

3 Fingerprinting Method: Vulnerability Scanning Software such as Qualis, OpenVAS, Nessus, NMap

4 Vulnerability Research Research system vulnerabilities based on the information gathered.Method: Vulnerability Scanning Software, CVE DB, VulnDB, Exploit DB

5 Verification and Exploiting Verification and exploiting of found vulnerabilitiesMethod: Individually, depending on system and vulnerabilities found

This Generic Assessment Program describes the basic steps for penetration testing irrespective of the host type. It assumes an approach without authentication credentials and involves manual testing and verification of vulnerabilities found. Host specific testing and the Application Security Assessment use this program as starting point.

7K l u g e B u r c h Z i m m e r l i n g

Tests for Specific Host Types

Host Type Testing Steps

Manual Verification Testing of logon mechanisms and forms for SQL Injection and XSS Additional tests based on OWASP Top 10

Mail Server Generic Work Program SMTP Tests e.g. relaying Mail & Malware Tests. Authentication credentials required. Sending different file extension samples

and test-malware to test filtering Testing active protocols e.g. POP3, IMAP for vulnerabilities

DNS Server Generic Work Program DNS Cache Poisoning DNS spoofing DNS Aplification Attack Recursive Queries DNS Protokoll attacks and Man-in-the-Middle attacks Testing for von data leakage via DNS Server

Remote Access Servere.g. RAS, VPN, OWA

Without authentication credentials

Generic Work Program Testing authentication platform or mechanism Transport encryption Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage

Transfer Server(FTP, SFTP)

With authentication credentials

Generic Work Program Testing Authentication platform or mechanism Reviewing access rights Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage

Others Generic Work Program Determined on a case by case basis depending on the subject of evaluation

Penetration TestingNetwork Subnets

9K l u g e B u r c h Z i m m e r l i n g

Subnet Testing

Maximum number of Hosts 50

Testing Approach Generic Work Program, Steps 1-4 Selection of a sample of hosts for more details analysis, Step 5

Description Instead of choosing particular hosts, subnet testing refers to all hosts within the specified subnet. For practicability reasons subnets may not include more than 50 hosts.

As it is unfeasible to test all hosts within the subnet with the same level of detail, this type of testing leaves it to the assessor to chose a sample of hosts that are considered the most vulnerable.

Depending on the type of host and the outcome of the first four steps of the Generic Work Program the assessor will perform a set of targeted tests which are in his professional judgment the most suitable.

Application Security Assessment

11K l u g e B u r c h Z i m m e r l i n g

Application Security Assessment

Description & Scope Manual test and verification of an application using valid authentication credentials.

Comprises: Generic Penetration Test of the hosts system (see previous pages) Assessment of the Applikation against OWASP Top 10 Further assessment depending on effort spent in individual case

Black Box Testing(Web, Mobile) Application only One Operating System

Host testing if necessary Testing of the application according to OWASP Top 10 or OWASP Mobile Top 10 respectively Supplementary tests according to OWASP Testing Guide Exploiting as reasonable in particular case and subject to effort spent

Code Review Review of relevant part of application source code such as Sessions Management and Encoding Review according to OWASP Code Review Guide Project

Full Review Black Box Testing and Code Review combined.

12K l u g e B u r c h Z i m m e r l i n g

Example Report

13K l u g e B u r c h Z i m m e r l i n g

Kluge Burch Zimmerling LtdGRC Advisors

Unit 4111PO Box 6945London W1A 6US

+44 (0) 87 097 41 164info@kluge-partner.com www.kluge-partner.com

Registered in England and Wales.

Company No. 9044082

ICO Security No. CSN5134480 

VAT No. GB 188 5540 67

Registered Office:22 Village Square, Stockport SK7 1AW, United Kingdom