Presentation is loading. Please wait.

Presentation is loading. Please wait.

Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  Professionalizing Penetration Testing.

Published byJack Leonard Bradford Modified over 9 years ago

Similar presentations

Presentation on theme: "Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  Professionalizing Penetration Testing."— Presentation transcript:

1 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Professionalizing Penetration Testing

2 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Agenda  The Penetration Test –What is it? –How is it done?  Problems in the current practice –Why do we need an improved approach?  Practical demonstration What will we discuss today?

3 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com  Rationale: “Improving the security of your site by breaking into it” Dan Farmer & Wietse Venema, 1993 http://www.fish.com/security/admin-guide-to-cracking.html  A plausible definition: A localized and time-constrained attempt to breach the information security architecture using an attacker’s techniques What is a Penetration Test?

4 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Goals  To improve Information Security awareness  To assess risk  To mitigate risk immediately  To reinforce the Information Security process  To assist in decision making processes  To test the accuracy of the security policy in place What are the goals of a Penetration Test?

5 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Final Results  Clear description of scope and methodology  Reproducible and accountable process  High-level analysis and explanation (for upper/non-technical management)  General recommendations and conclusions  Detailed findings What are the final results?

6 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Growing Importance  Penetration tests have become an integral part of standard security process  Governments beginning to mandate periodic tests for certain agencies  Demand is rapidly increasing, and the process needs to be able to keep up Why do we care?

7 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Information Gathering Information Analysis and Planning Vulnerability Detection Penetration Attack/Privilege Escalation Analysis and Reporting Clean-up How are Penetration Tests done today? Information Gathering Vulnerability Detection Penetration Attack/ Privilege Escalation Information Analysis and Planning Analysis and Reporting Clean Up Penetration Test Stages

8 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Information Gathering Information Analysis and Planning Vulnerability Detection Penetration Attack/Privilege Escalation Analysis and Reporting Clean-up What works well today, and what does not? Information Gathering Vulnerability Detection Penetration Attack/ Privilege Escalation Information Analysis and Planning Analysis and Reporting Clean Up Penetration Test Stages

9 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the problems today? Problems with ‘Information Analysis and Planning’ Stage  Difficult and time consuming task of consolidating all information gathered and extracting high-level conclusions to help define attack strategy  Hard to keep an up to date general overview of the components and their interaction  No specific tools aimed at addressing this phase  Experienced and knowledgeable resources required for this stage, overall time constraint could limit the extent of their work

10 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the problems today? (cont.) Problems with ‘Penetration’ Stage  Some tools available, but generally require customization and testing  Publicly available exploits are generally unreliable and require customization and testing  In-house developed exploits are generally aimed at specific tasks or engagements (mostly due to time constraints)  Knowledge and specialization required for exploit and tool development  Considerable lab infrastructure required for successful research, development and testing (platforms, OS flavors, OS versions, applications, networking equipment, etc.)

11 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the problems today? (cont.) Problems with ‘Attack/Privilege Escalation’ Stage  Some tools and exploits available, but usually require customization and testing (local host exploits, backdoors, sniffers, etc.)  Monotonous and time consuming task: setting up the new “acquired” vantage point (installing software and tools, compiling for the new platforms, taking into account configuration specific details, etc.)  Considerable lab infrastructure required for research, development, customization and testing  Lack of a security architecture for the Penetration Test itself

12 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the problems today? (cont.) Problems with ‘Analysis and Reporting’ Stage  Manually gathering and consolidating all the log information from all phases is time consuming, boring and prone to error  Logging of actions is left up to the team members, does not ensure compliance  Organizing the information in a format suitable for analysis and extraction of high level conclusions and recommendations is not trivial  Writing of final reports often considered the boring leftovers of the Penetration Test, security expertise and experience is required to ensure quality but such resources could be better assigned to more promising endeavors  No specialized tools dedicated to cover these issues

13 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the problems today? (cont.) Problems with ‘Clean Up’ Stage  Requires detailed and exact list of all actions performed, but logging of actions still manual  Clean up of compromised hosts must be done securely and without affecting normal operations (if possible)  The clean up process should be verifiable and non-repudiable, the current practice does not address this problem.  Clean up often left as a backup restore job for the Penetration Test customer, affecting normal operations and IT resources

14 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com So what does all that mean?  Inefficient due to reliance on disparate software packages and manual performance of tedious tasks  Informal and non-standardized  Difficult for companies to define and enforce their own methodology  Inconsistent in execution  Error-prone and sometimes NOT secure due to manual logging and clean-up  Difficult to centralize and share experience/knowledge across the firm  Expensive due to a steep learning curve and labor- intensiveness  Not very scalable New tools are needed to improve the process

15 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com CORE IMPACT  Provides a framework for Penetration Testing  Increases productivity  Builds knowledge and security expertise  Provides an open and extensible architecture  Brings the practice to a new quality standard One possible solution to these problems: CORE IMPACT

16 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com  The Model: –Simplifies and abstracts all the components of the system and their relations –Provides a foundation on which to build –Provides a common language  Agents - “The pivoting point” or “the vantage point” –The context in which Modules are run –Installable on any host –Secure –Remotely control other Agents –Easy clean up  Modules - “Any executable task” –Information gathering, attacks, reporting, scripting of other Modules –Simple and easy to extend –Have access to every tool together, under the same framework How does CORE IMPACT work?

17 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com What are the benefits?  Provides a framework that encompasses all the Penetration Testing phases –Enables customers to define and standardize own methodology –Enforces the following of their methodology and ensures quality  Drastically reduces time required to perform a Penetration Test –Agent/Module architecture simplifies target penetration and privilege escalation –Automates monotonous and time-consuming tasks –Frees valuable resources to focus on most important and difficult phases  Improves the security of the Penetration Testing practice –Reduces errors, particularly in the clean-up stage –Strong authentication and encryption between console and Agents  Enables knowledge acquisition and shared learning –Entity Database consolidates all work done for future reference and use  Makes the Penetration Testing practice more professional and scalable

18 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com Back Office Network DMZ Pen Tester Console INTERNET IMPACT DEMO

19 Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  http://www.corest.com 44 Wall Street New York, NY 10005 Tel: (212) 461-2345 Fax: (212) 461-2346 info.usa@corest.com USA CONTACT INFORMATION Jeffrey Cassidy Director of Business Development, USA jeffrey.cassidy@corest.com

Download ppt "Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002  Professionalizing Penetration Testing."

Similar presentations

Upgrading the Oracle Applications: Going Beyond the Technical Upgrade Atlanta OAUG March 19, 1999 Robert Cooney.

Upgrading the Oracle Applications: Going Beyond the Technical Upgrade Atlanta OAUG March 19, 1999 Robert Cooney.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Applying the SOA RA --------------------- Utah Public Safety ESB Project Utah Department of Technology Services April 10, 2008 Prepared by Robert Woolley.

Applying the SOA RA Utah Public Safety ESB Project Utah Department of Technology Services April 10, 2008 Prepared by Robert Woolley.
Software Quality Assurance Plan

Software Quality Assurance Plan
Automating Penetration Tests © 2001 CORE SDI Inc. Automating Penetration Tests: Iván Arce A new challenge for.

Automating Penetration Tests © 2001 CORE SDI Inc. Automating Penetration Tests: Iván Arce A new challenge for.
HP Quality Center Overview.

HP Quality Center Overview.
1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.

1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.

SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.
Project Management: A Critical Skill for Organizations Presented by Hetty Baiz Project Office Princeton University.

Project Management: A Critical Skill for Organizations Presented by Hetty Baiz Project Office Princeton University.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.

1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Department of Internal Affairs Cloud computing considerations John Roberts Director, Relationship Management CRI Records Managers 11 June 2015.

Department of Internal Affairs Cloud computing considerations John Roberts Director, Relationship Management CRI Records Managers 11 June 2015.
ECM Project Roles and Responsibilities

ECM Project Roles and Responsibilities
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Copyright 2006 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Third Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Chapter.

Copyright 2006 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Third Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Chapter.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google