What every IT professional needs to know about penetration tests 24 th April, 2014 Geraint Williams IT Governance Ltd www.itgovernance.co.uk
Overview So what do IT Professionals need to know about penetration tests? What is a penetration test? Why do they need testing? What do the tests cover? What don t the tests cover? Who can conduct the tests? Why should I test? When should I test? Arranging a test 2
What is a Penetration Test A penetration test, or pen test, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data http://en.wikipedia.org/wiki/penetration_test 3
Difference between a Penetration test and a hack Penetration tester has permission to test the system(s). Malicious hacker is committing an illegal act. Penetration tester is limited in the time taken to complete the attack on the system(s). Malicious hacker has all the time in the world to attempt a hack. Penetration tester has to stay within legal and ethical limits. Malicious hacker has no legal or ethical restraints other than selfimposed ones. Penetration testing is a snap shot in time, conducted at intervals. An attack can occur at any time, vulnerabilities can be discovered at any time. 4
Gaining Access Gaining access to a system from outside the network by exploiting vulnerabilities in the user layer Gaining access to a system from outside the network by exploiting vulnerabilities in the application layer Gaining access to a system from outside the network by exploiting vulnerabilities in the network layer Easiest Hardest 5
Attack Surface User Attack Surface Application Attack Surface Network Attack Surface 6
Internal or External view Internal simulate A malicious insider. The actions of a hacker who has gained access. External simulate An external threat. The actions of a hacker trying to gain access. 7
What needs to be tested Network Layer Application Layer User Layer Public accessible system High risk systems High value systems Internal systems Segmentation 8
What do the tests cover Known vulnerabilities and exploits 9
Different test types Detail of Test Vulnerability Scan ITG Penetration Test L1 ITG Penetration Test L2 Alternative names Automated Scan Vulnerability Assessment Full Penetration Testing Pre-assessment client scoping and consultation Scope of assessment Agreed with client Agreed with client Agreed with client Can be conducted internally and externally Identification of potential vulnerabilities Identification of configuration vulnerabilities Identification of potential security loopholes Immediate notification of critical issues 10
Different test types (cont). Detail of Test Vulnerability Scan ITG Penetration Test L1 ITG Penetration Test L2 Automated Scanning Manual Scanning Manual Testing Manual grading of vulnerabilities Exploitation of potential vulnerabilities to establish the impact of an attack 11
What the tests don t cover Not absolute security. A penetration tester is unlikely to find all the security issues. New vulnerabilities are being discovered all the time. Constraints on the pen-tester limit success. 12
Lifecycle of a vulnerability - Heartbleed 2 Years 2 weeks Vulnerability scanners and exploit tools available. Vulnerability visible to testers. Vulnerability Introduced into Application/system Discovery by ethical researchers Public Announcement Remediation activities, public exploits and attacks 13
Who conducts the tests Internal Testers Tiger Teams. Red Teams. External Testers Ethical Hackers. Security Researchers. 14
Accreditation Number of schemes within the UK CHECK CREST Tiger Team 15
Qualification Number of qualifications within the UK CHECK CREST Tiger Team EC-Council SANS BSc or MSc 16
Why should I test Regulatory compliance Demonstrating due diligence Providing risk based assurance that controls are being implemented effectively 17
Why should you conduct a regular Penetration Test? New vulnerabilities are identified and exploited by hackers every week. http://www.net-security.org/secworld.php?id=14595 In many cases, you won t even know that your defences have been successfully breached until it s too late. 18
Are you doing business with the government? Penetration Testing is a requirement of the UK central Government Baseline Security Plans. Invitation to Tender documents issued by HM Government departments also reference penetration tests 19
ISO27001 and Penetration Testing As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats. As part of the Risk Treatment Plan, ensuring that controls that are implemented do actually work as designed. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with. 20
When should I test All the time Impractical Risk based frequency interval After deployment of new infrastructure or applications and after changes to infrastructure and applications 21
Arranging a test Selecting a supplier Scoping the engagement Understanding the report Remediation activities 22
What credentials should I look out for in a penetration tester? Can you provide evidence of a solid reputation, history and ethics (eg a full trading history, good feedback from both clients and suppliers, a reliable financial record, and a strong history of performance)? Do you take part in specialised industry events (such as those run by CREST or OWASP chapters)? Are you able to demonstrate exploits or vulnerabilities you have found in other similar environments? Can you provide independent feedback on the quality of work performed and conduct of staff involved? Do you adhere to a formal code of conduct overseen by an independent industry body? 23
Scoping the penetration test: questions your provider should ask What are the business drivers behind needing/wanting to do a penetration test? What are the outputs you require from the testing? Assurance / Governance What threats are trying to protect from? Internal / external What are the systems that require to be tested? Critical / high profile / everything Are you testing infrastructure and applications or admins and monitoring systems? 24
3 rd Party Permissions required? 25
Reporting what is included and what can I expect to receive? Provide a detailed technical report on the vulnerabilities of the system. Explain the vulnerabilities in a way that is easily understood by senior management. Report the outcome of the test in business risk terms. Identify short term (tactical) recommendations. Conclude with and define root cause long term (strategic) recommendations. Include a security improvement action plan. Provide assistance to the organisation in implementing the security improvements. 26
Report findings Findings identified during the penetration test should be recorded in an agreed format describing each finding in both: Technical terms that can be acted upon Non -technical, business context, so that the justifications for the corrective actions are understood. Reports should describe the vulnerabilities found, including: Test narrative describing the process that the tester used to achieve particular results Test evidence results of automated testing tools and screen shots of successful exploits The associated technical risks - and how to address them. 27
Summary Penetration testing provides a means of testing information security controls Gives assurance about the effectiveness of controls Requires careful scoping Need permission from ALL parties 28
Technical Services IT Health Checks Web Application Security Testing Network Testing Wireless Network Testing PCI DSS Approved Scanning Vendor (ASV) Services Annual / Quarterly Scanning Contracts 29
Technical & Consultancy Services Penetration Testing Service http://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx PCI QSA Services http://www.itgovernance.co.uk/pci-qsa-services.aspx PCI DSS ASV Scanning Service http://www.itgovernance.co.uk/pci-scanning.aspx PCI Hacker Guardian - Standard/ Enterprise Scanning Service http://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx PCI DSS Consultancy Services - aligned to either Version 2 or Version 3 PCI DSS Scoping PCI DSS Gap Analysis Remediation support Consultancy by the Hour - IT Governance LiveOnline http://www.itgovernance.co.uk/pci-consultancy.aspx 30
Where to find us Visit our website: www.itgovernance.co.uk E-mail us: servicecentre@itgovernance.co.uk Call us: 0845 070 1750 Follow us on Twitter: twitter.com/#!/itgovernance Read our blog: blog.itgovernance.co.uk/ Join us on LinkedIn www.linkedin.com/company/it-governance Join us on Facebook www.facebook.com/itgovernanceltd 31
Any Questions? Contact details Blogs http://blog.itgovernance.co.uk/author/geraint-williams/ Linkedin uk.linkedin.com/in/geraintpwilliams Twitter twitter.com/#!/geraintw 32