Chapter 8 - 05 - Understand Fundamentals Of Penetration Testing and its Benefits - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Types of Penetration Assessment: Goal-oriented vs. Compliance-oriented vs. Red-team-oriented Goal-oriented/Objective-oriented Penetration Testing O This type of assessments is driven by goals. The objectives of the penetration test are defined, rather than defining the scope of targets O The goal of penetration assessment is defined before it begins O The job of the pen tester to check whether he/she can achieve the goal and to determine the different ways to achieve the goal Gain remote access to an internal network Exa.mples @ Gain access to credit-card information e Gain domain administrator access Create a denial of sexvice (DoS) condition against a website Deface a website Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited Types of Penetration Assessment: Goal-oriented vs. Compliance-oriented vs. Red-team-oriented (Cont’d) ¢ "‘ 4 z : 6\ ! fa : " ‘- N -~ rd | O This type of assessments is driven by ( compliance requirements. It is testing against adherence to compliance requirements PENETRATION'. TES s Compliance-oriented Penetration Testing T O | standards, frameworks, laws, acts, etc. f// ! ’ It entails conducting an assessment against the compliance requirements of cyber security O For example, an organization may ask to perform a security assessment against PCI-DSS requirements Copyright © by Module 08 Page 1106 EC-{ L. All Rights Reserved. Reproduction is Strictly Prohibited Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Types of Penetration Assessment: Goal-oriented vs. Compliance-oriented vs. Red-team-oriented (Cont’d) f Red-team-based Penetration Testing O ' B0 - Red-team-based penetration testing is an adversarial goal-based assessment in which the pen tester must mimic the behavior of a real attacker and target the environment 2\ A\ ‘ a v > This type of assessment has no specific driver For example, an organization may ask to \ < conduct a security assessment for evaluating its overall security. It may include assessing people, networks, applications, physical security, etc. Copyright © by | Types of Penetration Assessment: Red-team-oriented cil. All Rights Reserved. Reproductionis Strictly Prohibited. Goal-oriented vs. Compliance-oriented vs. Penetration assessment can be performed using the following approaches. Goal-oriented/objective-oriented penetration testing approach: Goals are the drivers for this penetration testing approach. In this type of assessment, with identifying or demonstrating a risk attempts vulnerabilities. They focus on finding different ways penetration assessment, the goal is defined before the set goals (objective), the pen tester performs Some follows: common goals to achieve a goal, rather than find to achieve the goal. In goal-oriented the start of pen testing. To achieve multiple serial or parallel processes. in goal-oriented/objective-oriented penetration o Gain remote access to an internal network o Gain access to credit-card information o Gain domain administrator access o Create a denial of service (DoS) condition against a website o Deface a website Compliance-oriented drivers for this penetration testing approach: Compliance approach. It entails testing a pen tester tasked against testing are as requirements are the adherence to compliance requirements. It involves conducting assessments against the compliance requirements of cyber-security standards, frameworks, laws, acts, etc. For example, an organization may ask to perform a security assessment against compliance standards such as PCl- Module 08 Page 1107 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 DSS, 1SO-27001, FISMA, HIPAA, and HITRUST. Compliance-oriented penetration testing also reviews firewall rules for compliance. The compliance-oriented penetration testing approach is a proactive approach to secure and maintain compliance. This enables organizations to do the following: o Maintain the security posture of the organization attacks before they occur by identifying and o Enhance the security infrastructure or policy framework o Evaluate an organization’s compliance level in specific areas management, password policy, and configuration management o Protect client data from breaches, which could result in a heavy penalty o Verify the system’s security with respect to certification and accreditation (C&A) such preventing as patch activities = Red-team-oriented penetration testing approach: This approach is an adversarial goalbased assessment in which the pen tester must mimic a real attacker and target an environment. This approach has no specific driver. For example, an organization may ask to conduct a security assessment for evaluating its overall security. It may include the assessment of people, networks, applications, physical security, etc. Furthermore, it is an offensive type of security testing in which a red team works with a blue team and updates the blue team with the tactics, techniques, and procedures (TTPs) used by the read team. It enables organizations to do the following: o Understand their ability to detect and respond to real-world attacks o Assess their organizational security with respect to specific targets o Verify their organizational response to an attack o Validate elements of organizational security postures o Identify risks missed by the penetration testing team Module 08 Page 1108 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Strategies of Penetration Testing Penetration testing strategies are broadly classified as follows: | l | | Black box White box Gray box O Each test strategy takes a different approach for assessing the security of an organization’s infrastructure H @ ' Copyright © by Strategies of Penetration Testing The three types of penetration testing are black-, white-, and gray-box testing. Each test type takes a different approach for assessing the security of an organization’s infrastructure. = Black-box testing To simulate real-world attacks and minimize false positives, penetration testers can choose to undertake black-box testing (or zero-knowledge attack, with no information or assistance from the client) and map the network while enumerating services, shared file systems, and operating systems (OSes) discreetly. * White-box testing If the organization needs to assess its security against a specific kind of attack or a specific target, complete information about the same may be given to pen testers. The information provided can include network topology documents, asset inventory, and valuation information. An organization typically opts for white-box testing when it requires a complete audit of its security. It is critical to note that despite all of this, information security is an ongoing process, and penetration testing only provides snapshot of the security posture of an organization at any given point in time. = a Gray-box testing Gray-box penetration testing is the most common approach toward application security that tests the vulnerabilities an attacker can find and exploit. This testing process functions in a manner similar to black-box testing. Both the attacking team and a normal user of the application are provided with the same simulate an attack performed by a malicious insider. Module 08 Page 1109 privileges, and the purpose is to Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Penetration Testing Process O ® Defining the Scope » Extent of testing » What will be tested » Performing the Penetration Test 7 Reporting and Delivering Results Involves gathering all information significant to security vulnerabilities » Where testing will Listing vulnerabilities » Categorizing risks as high, medium, or low » Recommending Involves testing the be performed targeted environment from (s::::\:i:zrr;fimork ! repairs if vulnerabilities are found T, topoloiy, and software AWho Wik pectorn testing » » Penetration Testing Process The process decisions for performing regarding vulnerabilities. the a penetration actions taken test in an before organization testing the consists networking of some devices and critical system The process is defined for all the operations performed during and prior to the penetration test, and it entails defining the scope, performing the penetration test, and reporting and delivering results. = Defining the Scope Before performing a penetration test, it is necessary to first define the range of testing. For different types of penetration testing, different types of network devices exist. The test can either be a full-scale test for the entire network and systems or for target devices such as web servers, routers, firewalls, Domain Name System (DNS) servers, mail severs, and File Transfer Protocol (FTP) servers. The scope of penetration testing covers the following: = o Extent of testing o What will be tested o Where testing will be performed from o Who will perform testing Performing the Penetration Test Each company ensures that the processes they implement for penetration testing are appropriate. Therefore, Module 08 Page 1110 proper methodologies must be used for performing a good Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 penetration test. The tester is responsible for checking the system for any existing or new applications, networks, and systems, in addition to checking whether the system is vulnerable to a security risk that could allow unauthorized access. This process involves gathering all the information significant to security vulnerabilities. This also involves testing the targeted environment such as network configuration, topology, hardware, and software. = Reporting and Delivering Results Once the penetration testing is completed, security testers examine all the information derived from the testing procedure. The delivery report contains the following: o List of prioritized vulnerabilities and risks o Information pertaining to the strong and weak points of the existing security system o Risks categorized as high, medium, or low o Information about each device’s vulnerabilities Testers make recommendations for repairing found vulnerabilities and provide technical information on how to fix the vulnerabilities found in the system. They can also provide some useful resources to the organization such as Internet links that may be helpful for finding additional information or patches to repair found vulnerabilities. Module 08 Page 1111 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.