0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015
1 Kluge Burch Zimmerling Content 1.Introduction 2.Assessment Workflow 3.Generic Penetration Testing work program 4.Penetration Testing work program for specific host types 5.Penetration Testing work program for network subnets 6.Application Security Assessment 7.Example Report
2 Kluge Burch Zimmerling Introduction This document outlines the work program defining the Penetration Testing and Application Security Assessment Commodities available at Method of TestingAll assessments are performed remotely over the internet. Reporting FormatThe report will be issued in a standardized format as outlines in the appendix. Assessor and StandardsBoth services are offered by the Partner Companies indicated on our Website. The assessments are performed by experienced testers and are made in accordance with common standards such as OWASP, NIST and BSI.
3 Kluge Burch Zimmerling Workflow You select and order at KBZ website Order is forwarded to Assessor Assessor confirms your order Assessor provides you with secure means of communication for next steps Your identity and your ownership of the subject of evaluation are confirmed You communicate the IP addresses of the systems to be tested Assessor agrees with you the details of the testing such as the time of execution Assessor performs tests Assessor provides report via the secure means of communication ConfirmationOrder Define Subject of Evaluation ExecutionReporting 1 dayInstantly1 day3 days2 days Timeline NB. “day” means working day, Mo-Fr
Penetration Testing Single Hosts
5 Kluge Burch Zimmerling Penetration Testing – Generic Assessment Program Phase NoObjectiveTesting Steps 1Information Gathering (I) (According to NIST, BSI) Research information about the target system. Method: Search Engines, Forums, Tools e.g. Dig, Nslookup 2Information Gathering (II)Scan target systems and their ports to detect services they offer. Method: Nmap, Hping, other Portscanners 3FingerprintingMethod: Vulnerability Scanning Software such as Qualis, OpenVAS, Nessus, NMap 4Vulnerability ResearchResearch system vulnerabilities based on the information gathered. Method: Vulnerability Scanning Software, CVE DB, VulnDB, Exploit DB 5Verification and ExploitingVerification and exploiting of found vulnerabilities Method: Individually, depending on system and vulnerabilities found This Generic Assessment Program describes the basic steps for penetration testing irrespective of the host type. It assumes an approach without authentication credentials and involves manual testing and verification of vulnerabilities found. Host specific testing and the Application Security Assessment use this program as starting point.
6 Kluge Burch Zimmerling Tests for Specific Host Types Host TypeTesting Steps Manual Verification Testing of logon mechanisms and forms for SQL Injection and XSS Additional tests based on OWASP Top 10 Mail Server Generic Work Program SMTP Tests e.g. relaying Mail & Malware Tests. Authentication credentials required. Sending different file extension samples and test-malware to test filtering Testing active protocols e.g. POP3, IMAP for vulnerabilities DNS Server Generic Work Program DNS Cache Poisoning DNS spoofing DNS Aplification Attack Recursive Queries DNS Protokoll attacks and Man-in-the-Middle attacks Testing for von data leakage via DNS Server Remote Access Server e.g. RAS, VPN, OWA Without authentication credentials Generic Work Program Testing authentication platform or mechanism Transport encryption Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage Transfer Server (FTP, SFTP) With authentication credentials Generic Work Program Testing Authentication platform or mechanism Reviewing access rights Testing for vulnerabilities against Man-in-the-Middle attack scenarios Testing for von data leakage Others Generic Work Program Determined on a case by case basis depending on the subject of evaluation
Penetration Testing Network Subnets
8 Kluge Burch Zimmerling Subnet Testing Maximum number of Hosts50 Testing Approach Generic Work Program, Steps 1-4 Selection of a sample of hosts for more details analysis, Step 5 DescriptionInstead of choosing particular hosts, subnet testing refers to all hosts within the specified subnet. For practicability reasons subnets may not include more than 50 hosts. As it is unfeasible to test all hosts within the subnet with the same level of detail, this type of testing leaves it to the assessor to chose a sample of hosts that are considered the most vulnerable. Depending on the type of host and the outcome of the first four steps of the Generic Work Program the assessor will perform a set of targeted tests which are in his professional judgment the most suitable.
Application Security Assessment
10 Kluge Burch Zimmerling Application Security Assessment Description & ScopeManual test and verification of an application using valid authentication credentials. Comprises: Generic Penetration Test of the hosts system (see previous pages) Assessment of the Applikation against OWASP Top 10 Further assessment depending on effort spent in individual case Black Box Testing (Web, Mobile) Application only One Operating System Host testing if necessary Testing of the application according to OWASP Top 10 or OWASP Mobile Top 10 respectively Supplementary tests according to OWASP Testing Guide Exploiting as reasonable in particular case and subject to effort spent Code Review Review of relevant part of application source code such as Sessions Management and Encoding Review according to OWASP Code Review Guide Project Full Review Black Box Testing and Code Review combined.
11 Kluge Burch Zimmerling Example Report
12 Kluge Burch Zimmerling Kluge Burch Zimmerling Ltd GRC Advisors Unit 4111 PO Box 6945 London W1A 6US +44 (0) Registered in England and Wales. Company No ICO Security No. CSN VAT No. GB Registered Office: 22 Village Square, Stockport SK7 1AW, United Kingdom