Penetration Testing in Cybersecurity

Penetration Testing

• A penetration test (pentest) evaluates the strengths of all security controls on a computer system, including procedural, operational, and technological controls.
• Organizations that need penetration testing include banks, financial institutions, government organizations, online vendors, and any organization processing and storing private information.
• Certifications often require or recommend regular penetration testing to ensure system security.
• Penetration testing can be performed from an external or internal viewpoint, and can be overt or covert.
• The phases of penetration testing include:
  • Reconnaissance and Information Gathering: discovering information about a target without making network contact.
  • Network Enumeration and Scanning: discovering existing networks and live hosts.
  • Vulnerability Testing and Exploitation: checking for known vulnerabilities and assessing their severity.
  • Reporting: organizing and documenting information found during the test.

Phases of Penetration Testing

Reconnaissance and Information Gathering

• Purpose: to discover as much information about a target as possible without making network contact.
• Methods:
  • Organization info discovery via WHOIS
  • Google search
  • Website browsing

Network Enumeration and Scanning

• Purpose: to discover existing networks and live hosts.
• Methods:
  • Scanning programs (Nmap, autoscan)
  • DNS Querying
  • Route analysis (traceroute)

Vulnerability Testing and Exploitation

• Purpose: to check for known vulnerabilities and assess their severity.
• Methods:
  • Remote vulnerability scanning (Nessus, OpenVAS)
  • Active exploitation testing
  • Login checking and brute forcing
  • Vulnerability exploitation (Metasploit, Core Impact)
  • Post-exploitation techniques to assess severity

Reporting

• Purpose: to organize and document information found during the test.
• Methods:
  • Documentation tools (Dradis)
  • Organizing information by hosts, services, identified hazards, and risks

How to Become a Penetration Tester

• Stay up to date on recent developments in computer security.
• Become proficient in C/C++ and a scripting language like PEARL.
• Consider obtaining certifications like Microsoft, Cisco, and Novell.
• Penetration testing certifications include CEH and GPEN.

Digital Forensics

• Emerging discipline in computer security.
• Investigation that takes place after an incident has happened.
• Goals: to answer questions about who, what, when, where, why, and how.
• Branches of digital forensics:
  • Computer Forensic
  • Firewall Forensic
  • Database Forensic
  • Network Forensic
  • Mobile Device Forensic
  • Forensic Data Analysis

Digital Evidences

• Definition: any data recorded or preserved on a digital device that can be read or understood by a person or computer system.
• Characteristics:
  • Admissible
  • Authentic
  • Fragile
  • Accurate
• Examples of digital evidence:
  • Email
  • Digital photographs
  • ATM transaction logs
  • Word processing documents
  • Internet browser history

Types of Digital Evidences

• Persistence Data: data remains intact when the digital device is turned off.
• Volatile Data: data would be lost if the digital device is turned off.
• Location of Evidence:
  • Internet history file
  • Temporary internet file
  • Newsgroup
  • File storage dates
  • Personal chatroom records

Investigation Phases

Phase 1: Acquisition

• Purpose: to recover as much evidence as possible without altering the crime scene.
• Methods:
  • Documenting as much as possible
  • Maintaining Chain of Custody
  • Determining if an incident actually happened
  • Determining the type of system to be investigated
  • Acquiring fleeting information first
  • Creating 1:1 copies of evidence
  • Locking up the original system in the evidence locker

Phase 2: Recovery

• Purpose: to extract data from acquired evidence.
• Methods:
  • Working on copies, not originals
  • Extracting data, deleted data, and "hidden" data
  • File systems and metadata
  • Recovering deleted files
  • Slack space analysis
  • Steganography analysis
  • Encrypted data analysis

Phase 3: Analysis

• Purpose: to locate contraband material, reconstruct events, determine if a system was compromised, or perform authorship analysis.
• Methods:
  • Locating specific files
  • Determining if existing files are illegal
  • Utilizing system and external information
  • Establishing a timeline of events
  • Comparing against known good state

Phase 4: Presentation

• Purpose: to present findings in a clear and concise manner.
• Challenges:
  • Presenting complex technical information to non-technical audiences
  • Ensuring the integrity of the evidence
  • Ensuring the accuracy of the analysis

Forensics Tools

• Acquisition:
  • dd, pdd
  • SafeBack, etc.
• Recovery:
  • Encase
  • TCT and Sleuth Kit
• Analysis:
  • ?Presentation
  • ?DF Investigator Profile

DF Investigator Profile

• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
• Knowledge of tools and how to use them
• Ability to explain technical concepts in simple terms

Penetration Testing

• A penetration test (pentest) evaluates the strengths of all security controls on a computer system, including procedural, operational, and technological controls.
• Organizations that need penetration testing include banks, financial institutions, government organizations, online vendors, and any organization processing and storing private information.
• Certifications often require or recommend regular penetration testing to ensure system security.
• Penetration testing can be performed from an external or internal viewpoint, and can be overt or covert.
• The phases of penetration testing include:
  • Reconnaissance and Information Gathering: discovering information about a target without making network contact.
  • Network Enumeration and Scanning: discovering existing networks and live hosts.
  • Vulnerability Testing and Exploitation: checking for known vulnerabilities and assessing their severity.
  • Reporting: organizing and documenting information found during the test.

Phases of Penetration Testing

Reconnaissance and Information Gathering

• Purpose: to discover as much information about a target as possible without making network contact.
• Methods:
  • Organization info discovery via WHOIS
  • Google search
  • Website browsing

Network Enumeration and Scanning

• Purpose: to discover existing networks and live hosts.
• Methods:
  • Scanning programs (Nmap, autoscan)
  • DNS Querying
  • Route analysis (traceroute)

Vulnerability Testing and Exploitation

• Purpose: to check for known vulnerabilities and assess their severity.
• Methods:
  • Remote vulnerability scanning (Nessus, OpenVAS)
  • Active exploitation testing
  • Login checking and brute forcing
  • Vulnerability exploitation (Metasploit, Core Impact)
  • Post-exploitation techniques to assess severity

Reporting

• Purpose: to organize and document information found during the test.
• Methods:
  • Documentation tools (Dradis)
  • Organizing information by hosts, services, identified hazards, and risks

How to Become a Penetration Tester

• Stay up to date on recent developments in computer security.
• Become proficient in C/C++ and a scripting language like PEARL.
• Consider obtaining certifications like Microsoft, Cisco, and Novell.
• Penetration testing certifications include CEH and GPEN.

Digital Forensics

• Emerging discipline in computer security.
• Investigation that takes place after an incident has happened.
• Goals: to answer questions about who, what, when, where, why, and how.
• Branches of digital forensics:
  • Computer Forensic
  • Firewall Forensic
  • Database Forensic
  • Network Forensic
  • Mobile Device Forensic
  • Forensic Data Analysis

Digital Evidences

• Definition: any data recorded or preserved on a digital device that can be read or understood by a person or computer system.
• Characteristics:
  • Admissible
  • Authentic
  • Fragile
  • Accurate
• Examples of digital evidence:
  • Email
  • Digital photographs
  • ATM transaction logs
  • Word processing documents
  • Internet browser history

Types of Digital Evidences

• Persistence Data: data remains intact when the digital device is turned off.
• Volatile Data: data would be lost if the digital device is turned off.
• Location of Evidence:
  • Internet history file
  • Temporary internet file
  • Newsgroup
  • File storage dates
  • Personal chatroom records

Investigation Phases

Phase 1: Acquisition

• Purpose: to recover as much evidence as possible without altering the crime scene.
• Methods:
  • Documenting as much as possible
  • Maintaining Chain of Custody
  • Determining if an incident actually happened
  • Determining the type of system to be investigated
  • Acquiring fleeting information first
  • Creating 1:1 copies of evidence
  • Locking up the original system in the evidence locker

Phase 2: Recovery

• Purpose: to extract data from acquired evidence.
• Methods:
  • Working on copies, not originals
  • Extracting data, deleted data, and "hidden" data
  • File systems and metadata
  • Recovering deleted files
  • Slack space analysis
  • Steganography analysis
  • Encrypted data analysis

Phase 3: Analysis

• Purpose: to locate contraband material, reconstruct events, determine if a system was compromised, or perform authorship analysis.
• Methods:
  • Locating specific files
  • Determining if existing files are illegal
  • Utilizing system and external information
  • Establishing a timeline of events
  • Comparing against known good state

Phase 4: Presentation

• Purpose: to present findings in a clear and concise manner.
• Challenges:
  • Presenting complex technical information to non-technical audiences
  • Ensuring the integrity of the evidence
  • Ensuring the accuracy of the analysis

Forensics Tools

• Acquisition:
  • dd, pdd
  • SafeBack, etc.
• Recovery:
  • Encase
  • TCT and Sleuth Kit
• Analysis:
  • ?Presentation
  • ?DF Investigator Profile

DF Investigator Profile

• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
• Knowledge of tools and how to use them
• Ability to explain technical concepts in simple terms

Penetration Testing

• A penetration test (pentest) evaluates the strengths of all security controls on a computer system, including procedural, operational, and technological controls.
• Organizations that need penetration testing include banks, financial institutions, government organizations, online vendors, and any organization processing and storing private information.
• Certifications often require or recommend regular penetration testing to ensure system security.
• Penetration testing can be performed from an external or internal viewpoint, and can be overt or covert.
• The phases of penetration testing include:
  • Reconnaissance and Information Gathering: discovering information about a target without making network contact.
  • Network Enumeration and Scanning: discovering existing networks and live hosts.
  • Vulnerability Testing and Exploitation: checking for known vulnerabilities and assessing their severity.
  • Reporting: organizing and documenting information found during the test.

Phases of Penetration Testing

Reconnaissance and Information Gathering

• Purpose: to discover as much information about a target as possible without making network contact.
• Methods:
  • Organization info discovery via WHOIS
  • Google search
  • Website browsing

Network Enumeration and Scanning

• Purpose: to discover existing networks and live hosts.
• Methods:
  • Scanning programs (Nmap, autoscan)
  • DNS Querying
  • Route analysis (traceroute)

Vulnerability Testing and Exploitation

• Purpose: to check for known vulnerabilities and assess their severity.
• Methods:
  • Remote vulnerability scanning (Nessus, OpenVAS)
  • Active exploitation testing
  • Login checking and brute forcing
  • Vulnerability exploitation (Metasploit, Core Impact)
  • Post-exploitation techniques to assess severity

Reporting

• Purpose: to organize and document information found during the test.
• Methods:
  • Documentation tools (Dradis)
  • Organizing information by hosts, services, identified hazards, and risks

How to Become a Penetration Tester

• Stay up to date on recent developments in computer security.
• Become proficient in C/C++ and a scripting language like PEARL.
• Consider obtaining certifications like Microsoft, Cisco, and Novell.
• Penetration testing certifications include CEH and GPEN.

Digital Forensics

• Emerging discipline in computer security.
• Investigation that takes place after an incident has happened.
• Goals: to answer questions about who, what, when, where, why, and how.
• Branches of digital forensics:
  • Computer Forensic
  • Firewall Forensic
  • Database Forensic
  • Network Forensic
  • Mobile Device Forensic
  • Forensic Data Analysis

Digital Evidences

• Definition: any data recorded or preserved on a digital device that can be read or understood by a person or computer system.
• Characteristics:
  • Admissible
  • Authentic
  • Fragile
  • Accurate
• Examples of digital evidence:
  • Email
  • Digital photographs
  • ATM transaction logs
  • Word processing documents
  • Internet browser history

Types of Digital Evidences

• Persistence Data: data remains intact when the digital device is turned off.
• Volatile Data: data would be lost if the digital device is turned off.
• Location of Evidence:
  • Internet history file
  • Temporary internet file
  • Newsgroup
  • File storage dates
  • Personal chatroom records

Investigation Phases

Phase 1: Acquisition

• Purpose: to recover as much evidence as possible without altering the crime scene.
• Methods:
  • Documenting as much as possible
  • Maintaining Chain of Custody
  • Determining if an incident actually happened
  • Determining the type of system to be investigated
  • Acquiring fleeting information first
  • Creating 1:1 copies of evidence
  • Locking up the original system in the evidence locker

Phase 2: Recovery

• Purpose: to extract data from acquired evidence.
• Methods:
  • Working on copies, not originals
  • Extracting data, deleted data, and "hidden" data
  • File systems and metadata
  • Recovering deleted files
  • Slack space analysis
  • Steganography analysis
  • Encrypted data analysis

Phase 3: Analysis

• Purpose: to locate contraband material, reconstruct events, determine if a system was compromised, or perform authorship analysis.
• Methods:
  • Locating specific files
  • Determining if existing files are illegal
  • Utilizing system and external information
  • Establishing a timeline of events
  • Comparing against known good state

Phase 4: Presentation

• Purpose: to present findings in a clear and concise manner.
• Challenges:
  • Presenting complex technical information to non-technical audiences
  • Ensuring the integrity of the evidence
  • Ensuring the accuracy of the analysis

Forensics Tools

• Acquisition:
  • dd, pdd
  • SafeBack, etc.
• Recovery:
  • Encase
  • TCT and Sleuth Kit
• Analysis:
  • ?Presentation
  • ?DF Investigator Profile

DF Investigator Profile

• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
• Knowledge of tools and how to use them
• Ability to explain technical concepts in simple terms

Cybersecurity and Data Power

• Great businesses have been created by collecting and harnessing the power of data and data analytics.
• These businesses have the responsibility to protect this data from misuse and unauthorized access.
• The growth of data has created great opportunities for cybersecurity specialists.

Cybersecurity Domains

• Cyber experts now have the technology to track worldwide weather trends, monitor the oceans, and track the movement and behavior of people, animals, and objects in real-time.
• New technologies, such as Geospatial Information Systems (GIS) and the Internet of Everything (IoE), have emerged.
• These technologies depend on collecting and analyzing tremendous amounts of data.

Cybersecurity Criminals

• Hackers can be categorized into three types:
  • White hat attackers: break into networks or computer systems to discover weaknesses and improve security.
  • Gray hat attackers: may find a vulnerability and report it to the owners of the system if it coincides with their agenda.
  • Black hat attackers: unethical criminals who violate computer and network security for personal gain or malicious reasons.

Cybersecurity Criminals (Cont.)

• Script Kiddies: teenagers or hobbyists with little or no skill, often using existing tools or instructions found on the Internet to launch attacks.
• Vulnerability Brokers: gray hat hackers who attempt to discover exploits and report them to vendors for prizes or rewards.
• Hacktivists: gray hat hackers who rally and protest against different political and social ideas.
• Cyber Criminals: black hat hackers who are either self-employed or working for large cybercrime organizations.
• State Sponsored Hackers: either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks.

Thwarting Cyber Criminals

• Coordinated actions to limit or fend off cyber criminals include:
  • Vulnerability Database: National Common Vulnerabilities and Exposures (CVE) database provides a publicly available database of all known vulnerabilities.
  • Early Warning Systems: The Honeynet project provides a HoneyMap which displays real-time visualization of attacks.
  • Share Cyber Intelligence: InfraGard is an example of sharing cyber intelligence to prevent hostile cyberattacks.
  • ISM Standards: The ISO 27000 standards provide a framework for implementing cybersecurity measures within an organization.

Common Threats

• Cybersecurity threats are particularly dangerous to certain industries and the type of information they collect and protect.
• Threats can come from:
  • Personal Information
  • Medical Records
  • Education Records
  • Employment and Financial Records
  • Network services like DNS, HTTP, and Online Databases
  • Packet sniffing and forgery
  • Rogue devices, such as unsecured Wi-Fi access points

Spreading Cybersecurity Threats

• Threats can originate from within an organization or from outside.
• Internal threats can cause greater damage than external threats because internal users have direct access to the building and its infrastructure devices.
• External threats can exploit vulnerabilities in networked devices or use social engineering to gain access.

Spreading Cybersecurity Threats (Cont.)

• Vulnerabilities of Mobile Devices: the inability to centrally manage and update mobile devices poses a growing threat to organizations that allow employee mobile devices on their networks.
• Emergence of Internet-of-Things (IoT): the connection of various devices to the Internet increases the amount of data that needs protection.
• Impact of Big Data: big data poses both challenges and opportunities based on three dimensions: volume, velocity, and variety.

Spreading Cybersecurity Threats (Cont.)

• Threat Complexity:
  • Advanced Persistent Threats (APTs): continuous computer hacks that occur under the radar against a specific object.
  • Algorithm attacks: track system self-reporting data and use it to select targets or trigger false alerts.
  • Intelligent selection of victims: sophisticated attacks only launch if the attacker can match the signatures of the targeted victim.

Threat Complexity (Cont.)

• Broader Scope and Cascade Effect:
  • Federated identity management: multiple enterprises that let their users use the same identification credentials to gain access to the networks of all enterprises in the group.
• Safety Implications:
  • Emergency call centers in the U.S. are vulnerable to cyberattacks that could shut down 911 networks, jeopardizing public safety.
  • Telephone denial of service (TDoS) attacks: use phone calls against a target telephone network, tying up the system and preventing legitimate calls from getting through.