IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1
Objectives Learn about penetration testing Learn what to consider when selecting a penetration testing vendor www.alpinesecurity.com 2
Overview Background What is a Penetration Test? Why do a Penetration Test? Vulnerability Assessment vs Penetration Test Types of Penetration Tests Top 10 Items to Look for in a Penetration Testing Vendor www.alpinesecurity.com 3
Background Christian Espinosa, CEO, Alpine Security Air Force Red Team Veteran Extensive cybersecurity experience and pen testing with multiple industries, including: Manufacturing Energy Healthcare Finance Aerospace Alpine Security offers cybersecurity training, penetration testing, incident response, auditing, and cyberstrategy www.alpinesecurity.com 4
What is a Penetration Test ( Pentest ) An attempt to compromise the security of an organization, computer network, or computer system with full permission of the owner(s) in order to assess security posture. Automated and manual methods to mimic those of actual attackers, such as hackers Goal is to improve security posture by exposing vulnerabilities by proving they can be exploited to cause (simulate) harm www.alpinesecurity.com 5
Why do Penetration Testing? Gives you an accurate and holistic security assessment from attacker s POV System developers and defenders do not always understand how attackers exploit vulnerabilities; helps educate them in how to build better defenses Mandated by many standards: PCI DSS 3.2 Requires external and internal penetration testing at least annually Or, if a significant upgrade takes place HIPAA 45 CFR 164.308(a)(8) Requires a covered entity to conduct a periodic technical evaluation of controls NIST 800-171 Requires organization to test incident response capability Requires organization perform periodic security assessments to determine control effectiveness www.alpinesecurity.com 6
Vulnerability Assessment vs Pentest A Vulnerability Assessment: Looks for weaknesses without attempting to exploit them Is less intrusive and potentially damaging than a Pentest A Pentest exploit may rely on multiple vulnerabilities to exist in order to successfully gain access to a system A Vulnerability Assessment usually cannot detect such weaknesses www.alpinesecurity.com 7
Types of Pentests Location: Internal vs External Internal From the viewpoint of an attacker on the inside External From the viewpoint of an external attacker Knowledge / Access Level: Box Colors White Box usually has best potential to uncover the most exploitable vulnerabilities www.alpinesecurity.com 8
Types of Pentests (cont.) Web vs Wired vs Wireless Web tests one or more web servers or web applications Wired tests one or more (wired) networked systems Wireless tests one or more wireless access points from close proximity Social Engineering Phishing Campaign attempt at getting users to respond to an unsolicited malicious email, text, or other electronic communication Vishing Campaign Voice Phishing ; attempt to use the telephone to get users to violate company s security policy www.alpinesecurity.com 9
Types of Pentests (cont.) Physical Campaign attempt to physically penetrate the boundaries of an organization or trick employees into violating company s security policies Comprehensive Penetration Test Aka Red Team Uses any combination of tactics desired Most realistic Test may be part phishing, part in-person social engineering, part physical, etc. www.alpinesecurity.com 10
Sample Pentest Activities Look for holes and running services to determine if they are vulnerable to exploits Attempt to crack passwords and bypass authentication using multiple methods Attempt to access sensitive data that could be exfiltrated Attempt to maintain access by planting backdoors or creating accounts Attempt to elude detection by covering tracks; deleting log file entries, etc. www.alpinesecurity.com 11
Top 10 for Selecting a Penetration Testing Vendor 1. Uses Certified and Experienced Personnel 2. Delivers Clear Reports with Risk-Based Prioritized Recommendations 3. Performs Both Manual and Automated Testing 4. Follows a Documented Process 5. Uses a Rules of Engagement (ROE) Document for Clear Expectations 6. Communicates Clearly and Frequently 7. Demonstrates Professionalism and Respect 8. Identifies and Eliminates False Positive Findings 9. Offers Retest Options 10. Protects Your Data During and After the Test www.alpinesecurity.com 12
1. Uses Certified and Experienced Personnel Certified Penetration Testers should have appropriate penetration and cybersecurity credentials, such as: CISSP Licensed Penetration Tester (LPT) (Master) Certified Ethical Hacker (CEH) Offensive Security Certified Professional (OSCP) Experienced Should understand various network, web, operating system, and platform technologies Should understand your business Should have experience with complex environments www.alpinesecurity.com 13
2. Delivers Clear Reports with Risk-Based Prioritized Recommendations Reports should be easy to understand for both executives and technical personnel Reports should have a prioritized list of recommendations Should not just be automated output from tools, but tailored recommendations that have been validated Vendor can provide sample, redacted reports, upon request Should contain detailed steps to allow engineers to reproduce the exploit fully, including screenshots www.alpinesecurity.com 14
3. Performs for Manual and Automated Testing Automated tools generate false positives Recommendations from automated tools are not always easily understandable Vendor should have in-depth knowledge of industry-standard automated testing tools Vendor should have in-depth knowledge of manual testing methods; able to exercise web or thick client applications to look for functionality or configurations that can be abused to gain access Automated tools will not easily find these types of vulnerabilities www.alpinesecurity.com 15
4. Follows a Documented Process Documented processes ensure completeness, accuracy, and test repeatability Process should be followed pre, during, and post-engagement The vendor should use a well-defined methodology www.alpinesecurity.com 16
5. Uses a Rules of Engagement (ROE) Document for Clear Expectations Rules of Engagement (ROEs) are designed to ensure everyone is on the same page and that expectations are clear Provides clarity on test parameters Timing Escalation Procedures Systems to be Tested Scope Etc. Should consider customer sensitivity with levels of testing Ideally, testing should be conducted on test systems rather than live systems, but this is not always possible; extra care and consideration should be taken in exploiting live systems www.alpinesecurity.com 17
6. Communicates Clearly and Frequently You are never left wondering what the status of testing is Vendor communicates with you based on parameters determined in the ROE Critical findings should be communicated immediately Vendor should be able to clearly explain all mitigations that they recommend www.alpinesecurity.com 18
7. Demonstrates Professionalism and Respect Test focus should be on helping you secure your environment Vendor can provide a list of references from prior work Vendor should prove an exploit exists without spiking the football (causing excessive damage to prove a point, demonstrate prowess, or mock the client) Vendor should prove a vulnerability is exploitable in the least disruptive way possible Vendor should clean up any files or modifications they made to the systems under test www.alpinesecurity.com 19
8. Identifies and Eliminates False Positive Findings Automated tools often generate false positives Cannot always distinguish desired behavior from undesired behavior Can trigger on vulnerable code inside of comments or make inferences based on differences in timing of requests to application Vendors should recognize and remove false positives to save the customer s development and deployment team from engaging in wild-goose chases Questionable findings should be labeled A report riddles with false positives wastes time www.alpinesecurity.com 20
9. Offers Retest Options Once you remediate the findings in the penetration test report, it is critical to validate your fix actions actually worked Without a retest, vulnerabilities that were supposedly fixed, remain open for exploitation www.alpinesecurity.com 21
10. Protects Your Data During and After the Test Data on your systems, data about your systems, and vulnerability data should be protected appropriately A penetration testing report contains not only identified vulnerabilities, but how to exploit them www.alpinesecurity.com 22
Summary Background What is a Penetration Test? Why do a Penetration Test? Vulnerability Assessment vs Penetration Test Types of Penetration Tests Top 10 Items to Look for in a Penetration Testing Vendor www.alpinesecurity.com 23
Christian Espinosa christian.espinosa@alpinesecurity.com www.alpinesecurity.com www.alpinesecurity.com 24