Embed Size (px)
DESCRIPTION
Citation preview
Beyond Your Numbers
Risk Management Group
Penetration TestingThe Importance of Your Bank’s Perimeter Security
Presented by:
Brian Hunter & Philip Diekhoff
BKD Risk Management Group
Beyond Your Numbers
A Brief History of Hacking
Beyond Your Numbers
The Penetration Tester
Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network
EH works under no constraints other than those that would apply to ordinary users
EH will use same methodology & tools used by Hackers
Beyond Your Numbers
Types of Penetration Testing
External Penetration TestingTaking role of hacker to gain access from Internet
Internal Penetration TestingTaking on role of disgruntled employee or third-
party vendor to gain access from inside network
Beyond Your Numbers
Different types of Penetration Testing
No knowledge – hacker from Internet. Test is performed with no information about organization
Knowledgeable – former employee. Test is performed with some knowledge but no access
Insider – consultants or vendors. Test is performed inside with physical access to network. Knowledge is limited
Knowledgeable insider – staff. Test is performed inside with knowledge. This is to test how secure network is & whether employees can access resources they shouldn’t be able to
What kinds of testing can be done?
Beyond Your Numbers
Security Offerings – What’s out there?
Network ScanningVulnerability ScanningPenetration Testing
What is the difference?
Beyond Your Numbers
Network Scanning
What is it?Uses port scanners (ex. Nmap, Superscan)Scans network to determine what devices are
there, what ports are open & what services are running on those ports
Fast, efficient but doesn’t probe for vulnerabilities
Beyond Your Numbers
Vulnerability Scanning
What is it? Identifies network hosts & services Identifies network operating systems Identifies applications running on those devices Identifies potential vulnerabilities pertinent to those
systems & applicationsBased on a database of vulnerabilities & not actual
testingFairly fast, provides list of vulnerabilities but has
many false positives
Beyond Your Numbers
Penetration Testing
What is it? Set of procedures designed to circumvent existing
security controls of specific system or organization Encompasses network scanning & vulnerability
scanning, but includes human element & verification of vulnerabilities
True hacker approach, verifies vulnerabilities but takes time & expertise
Beyond Your Numbers
Why do I Need Penetration Testing?
Risk assessment
Verification of security controls
Identify vulnerabilities
Regulatory compliance
Anticipate expenditure
Beyond Your Numbers
It Won’t Happen to Me
No one would be interested in small organization like us
They think IT department has everything under control or
People become complacent with their network
Consider This!
Beyond Your Numbers
Check This Out
http://www.privacyrights.org/ar/ChronDataBreaches.htm Hacked Sites
Beyond Your Numbers
Data Breaches 2006: Analysis
Private Sector Public Sector Higher Education Medical Centers
(incidents n=126)(inc. military)
(incidents n=114)(incidents n=52) (incidents n=30)
Outside Hackers 15% 13% 52% 3%
Insider Malfeasance 10% 5% 2% 20%
Human/Software Incompetence
20% 44% 21% 20%
Theft (non-laptop) 15% 17% 17% 17%
Laptop Theft 40% 21% 20% 40%
Beyond Your Numbers
Questions to Ask
What is their methodology?Is methodology proven, has it been
successfully used before?Ask for references—more is better!How long have they been performing this kind
of work?
Beyond Your Numbers
Things to Keep in Mind
Need for independenceTesting of any type can be disruptive & damagingAre we talking about network scanning, vulnerability
scanning or penetration testing – compare scopes & methodologies
There is no one standard methodology for penetration testing, but there has been some standardizations
Beyond Your Numbers
Key Methodology Steps
Scope of work/engagement letter FootprintingScanningEnumerationPenetrationPrivilege escalationFind sensitive data Conference with client (discuss findings)Report (contains findings & recommendations)
Beyond Your Numbers
Footprinting
Public information gathering to determine organization’s demographics, locations, address, hosts, etc.
Organizational reconnaissance Network reconnaissance Domain names IP addresses Pinpoint servers (web, email, DNS, etc.) Employee information Search newsgroups for company information
Beyond Your Numbers
Scanning
Assess & identify listening services to focus attack on most promising avenues of entry
TCP and UDP port scanning Locate publicly accessible devices on IP segment Identify open ports on devices Stealth is required not to alert Intrusion Detection Systems
Beyond Your Numbers
Enumeration
Enumerate network devices & determine what is running & what it is running on
Identify hardware Identify operating system Identify services & their version Identify applications Identify potential vulnerability
Beyond Your Numbers
Penetration
Use information from previous steps to gain access to systems. Using all information gathered so far, prioritize
targets by the severity of vulnerabilities found Systematically address all potential
vulnerabilities on all systems
Never perform Denial of Service (DoS) attacks
Demo: RPC Exploit
Beyond Your Numbers
Privilege Escalation
Depending on privilege level obtained from penetration phase, it may be necessary to attempt to increase privilege level to gain total control of system
Demo: RPC Exploit
Demo: PWDumpDemo: File
Beyond Your Numbers
Find Sensitive Data – a.k.a. Pilfer
Footprint & scan internal network Identify internal servers & their purposeAttempt to locate sensitive informationCrack password filesDatabasesAccounting programs
Demo: LC4
Beyond Your Numbers
Exit Meeting
Meet & discuss findingsAddress largest security findings so you may begin
immediately fixing themGet all your questions answered
Beyond Your Numbers
Report
The real value in penetration testing is in the report
It should identify vulnerabilities
It should give recommendations on fixing those vulnerabilities
Beyond Your Numbers
What Will it Take to Keep Me Out?
Not as much as you might think
New expensive equipment is not usually requiredMost security issues can be addressed quickly &
easilyMost time & energy will be spent on security
awareness
Beyond Your Numbers
What Will it Take to Keep Me Out? (cont.)
Understand that risks are realBe proactive with your IT securityClear, concise policies that define security
requirements & expectations of employeesPatches – keep all computers & network devices
current with latest service packs, patches and updates
Beyond Your Numbers
Configure routers & firewalls to block all unnecessary traffic
Develop an “Incident Response Team”Have testing performed regularly Use intrusion detection systems
Remember, all testing/scanning is snapshot of network at that point in time
What Will it Take to Keep Me Out? (cont.)
Beyond Your Numbers
Common Entry Points
When locking down your network, payattention to most common points of entryfor hackers
Misconfigured routersMisconfigured firewallsMisconfigured Internet serversUnpatched softwareUnsecured remote accessAccounts with excessive permissionsWeak & easily guessed passwords
Beyond Your Numbers
Key Take Aways
It is not a matter of “IF” but “WHEN”Be proactive before you need to be reactiveUnderstand the importance of the methodologyRetest after significant changes It’s a process not a destination
Beyond Your Numbers
How to Contact Us
Brian Hunter
Supervising Consultant
Springfield, MO
417.865.8701
Philip DiekhoffSenior ConsultantSpringfield, MO
417.865.8701
