IE3022-Applied Information Assurance Lecture 2.pdf

Full Transcript

Applied Information Assurance IE3022
Kanishka Yapa
Lecture 2
Penetration Testing

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing
Penetration testing or ethical hacking is a proactive security
assessment
Tests internal and external systems by simulating an attack
During testing security specialists review systems security policies
and procedures for the goal of reducing overall risk
This is carried out by a pentester

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Importance of Penetration Testing
To identify the threats and vulnerabilities to
organizations assets.
To provide a comprehensive assessment of policies,
procedures, design, and architecture.
To set remediation actions to secure them before they
are used by a hacker to breach security.
To test and validate the security protection & identify
the need for any additional protection layer.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Approaches
Blue Teaming is an approach, in which a security team
is responsible for performing analysis on security
control and efficiency of an information security
system. They detect and mitigate red team attacks.
In Red teaming approach a team of ethical hackers or
pen testers are responsible for system penetration
with limited or without any granted access to system
resources. They detect an evaluate vulnerabilities
from an attacker's perspective.
IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Types of Penetration Testing
Black box testing
Pentester has no prior knowledge about the system or any information about
the target.
Grey box testing
Gray box, is a type of penetration testing in which the pentester has very
limited prior knowledge of the system or any information of targets such as
IP addresses, Operating system or network information in very limited. Gary
boxing is designed to demonstrate an emulated situation as an insider might
have this information and to counter an attack as the pentester has basic,
limited information regarding target.
White box testing
The white box is a type of penetration testing in which the pentester has
complete knowledge of system and information of the target. This type of
penetration is done by internal security teams or security audits teams to
perform auditing.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Security Assessments
Network Devices
E-mail and Web Interfaces
Wireless networks
Applications and Databases

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Attack Surfaces
Software
Hardware
Network
Users

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Stages of the Penetration Test
1.Pre-engagement
2.Information-gathering
3.Threat-modeling
4.Vulnerability analysis
5.Exploitation
6.Post-exploitation
7.Reporting
IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Pre-engagement
perform pre-engagement interactions with the client to make sure
everyone is on the same page about the pen testing.
Things to look at..
Take the time to understand your client’s business goals for the
pentest.
If this is their first pentest?
What prompted them to find a pentester?
What exposures are they most worried about?
Do they have any fragile devices you need to be careful with when
testing?
What matters most to them?

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Other important items to discuss
and agree upon during the pre-
engagement phase of the pentest
Scope
The testing window
Contact information
A “get out of jail free” card
Payment terms
Nondisclosure agreement clause

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Information Gathering
Footprinting phase allows the attacker to gather the
information regarding internal and external security
architecture.
Learning as much as possible about the target
Time consuming. May take weeks or months to
complete
To save time some information can be provided such
as IP addresses

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing- Scanning
Attacker use this to get an understanding about the
network
Dive deeper into the network
Look for valuable data and services
Specific IP addresses

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Threat Modeling
Threat Modeling is the process or approach to identify, diagnose, and
assist the threats and vulnerabilities of the system. It is an approach to
risk management which dedicatedly focuses on analyzing the system
security and application security against security objectives. This
identification of threats and risks helps to focus and take action on an
event to achieve the goals.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Vulnerability Analysis
Vulnerability Assessment can be defined as a process
of examination, discovery, and identification of system
and applications security measures and weaknesses.
Vulnerability assessment also helps to recognize the
vulnerabilities that could be exploited, need of
additional security layers, and information’s that can
be revealed using scanners.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing- Gaining Access
Maintain access once you have gained access
Escalate the privileges to the Administrator level

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Exploitation
The act of exploiting the vulnerability in the target
system. This is may be the most desired component
for most of the pentesters.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing- Exploitation
Launch exploits such as webserver attacks, buffer
overflows and cross-site scripting
Install a rootkit so the Ethical Hacker can access the
system anytime

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Reporting
This is the final phase of penetration testing.
Results of the pentesting are presented in the report.
Can contain an executive summery.
The vulnerabilities may be categorized as High,
Medium and Low.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Understanding Penetration Testing
Constant vigilance
Patch and configuration management
Monitor system defenses
Securely configure OS and other applications
Employment training
End-point protection as the conventional perimeter
has extended to the end users in the new work from
home scenarios
IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
The true story..
An attacker may be able to breach the network
defenses and steal data.
Test your defenses to see how your system performs
under an attack
Do not wait until a real breach and face the
consequences

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing
Proactive security assessment
Tests systems by simulating attacks
Review policies and procedures

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Ethical Hackers
Also known as white hat hackers
Example. Members from CERT’s
Examines many ways how a breach can occur
Uses the techniques and tools as a black hat hacker

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Penetration Testing help to answer following
questions.
Do we have any unnecessary services running?
Are social engineering techniques effective?
What are the exploitable vulnerabilities?
Are antimalware signatures up to date?
Are the operating system patches current?

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Risk
Conducting a thorough Ethical Hacking exercise will
help to identify risks to the organization.
Risk is when a person, place or thing is open or
exposed to harm which can result in injury, death or
destruction.
Organizations carry out risk analysis to consider
potential threats such as cyber attacks

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Manage Risk
Organizations implement methods to manage risks
and reduce the potential for harm
The goal is to reduce the risk to protect the assets
which are tangible and intangible items that can be
assigned a value
Tangible assets example. Laptop, printer
Intangible assets example. Data, Trade secret

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Risk = Threats x vulnerability

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Defining Risk
Threats may exist, but if there is no vulnerability there
is no risk.
Correspondingly if there is a vulnerability but no
threat there is no risk.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Defining Threat
Anything that can exploit a vulnerability intentionally
or accidently , resulting in damaging or destroying an
asset.
Something that might happen is difficult to control
May include disgruntled employee, hacker, nature

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Defining Vulnerability
A security flaw or weakness in a system that can be
exploited by a threat to gain unauthorized access to
an asset.
Example. Connecting a system to Internet can
represent a vulnerability if the system is unpatched.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa
Case Study
Think of a situation where an individual is affected by
rain.

IE3022 | Applied Information Assurance | Penetration Testing | Kanishka Yapa