SlideShare a Scribd company logo
1 of 47
Download to read offline
P RESENTATION

Tom Eston, CISSP, GWAPT
Jason Broz, CIPP/US
Assessing a Pen tester:
Making the right choice when selecting a third party firm

2/12/2014
WEBINAR PRESENTERS
•
•
•
•
•
•

Tom Eston, CISSP, GWAPT
Manager, Attack and Defense Team
Founder SocialMediaSecurity.com
OWASP Contributor
SANS Community Instructor
International Speaker
•

DEFCON, Black Hat USA/Abu Dhabi and many others

• Jason Broz, CIPP/US
• Audit and Compliance Consultant
• Previous Positions include
•
•

IT for a Fortune 1000 company
Management and Sales

• Member of IAPP and ISACA

Data Classification: SecureState Proprietary

2
WEBINAR GOALS
• Help you better understand Penetration Testing
goals and objectives
• Provide clarity on
differences
• Elaborate upon
differences within the
industry
• Answer questions in
regard to decision
making
Data Classification: SecureState Proprietary

3
QUICK POLL
•
•
•
•

Who has recommended a pentest?
Who has purchased a pentest?
Who has performed a pentest?
Who has had to deal with the results from a
pentest?
– Who has seen bad report?

Data Classification: SecureState Proprietary

4
WHAT IS A PENETRATION TEST?

Data Classification: SecureState Proprietary

5
WHAT IS PENETRATION TESTING?
• Method of evaluating the security of:
o Computer systems
o Network Devices
o Web Applications
o Physical Buildings and Infrastructure
• Simulates an intrusive attack by a malicious
attacker
“Penetration testing is security testing in which assessors mimic real-world attacks to

identify methods for circumventing the security features of an application, system, or
network. It often involves launching real attacks on real systems and data that use
tools and techniques commonly used by attackers”

~NIST 800-115, http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

Data Classification: SecureState Proprietary

6
KEY COMPONENTS OF
PENETRATION TESTING
•
•
•
•
•
•

Established methodology
Attack Vectors
Scope established
Trophies or Goals identified
Manual methods used in addition to tools
Team based

Data Classification: SecureState Proprietary

7
MOST COMMON PENETRATION
TESTING METHODOLOGIES
• Penetration Testing firms should follow one or
more of the following methodologies:
• PTES (Penetration Testing Execution Standard)
• NIST 800-115
• OSSTMM (Open Source Security Testing
Methodology Manual)
• OWASP Testing Guide (Open Web Application
Security Project)

Data Classification: SecureState Proprietary

8
PENETRATION TESTS ARE NOT
• Vulnerability Assessments
• Simply running an automated tool (e.g., Nessus)

• Manual review of security “controls”
• This is an Audit

From a cost perspective, a pentest will cost significantly more than a
Vulnerability Assessment because of the manual testing involved.

Data Classification: SecureState Proprietary

9
REASONS FOR PERFORMING A
PENETRATION TEST
• Compliance requirement (PCI)
• Told to perform a Penetration Test by management
• Identification of vulnerabilities in your network that
can be exploited
• How difficult would it be for a hacker to
compromise valuable data?
• Are your defenses working? Test of Incident
Response and Monitoring systems.
• Need budget to resolve issues and build the security
program

Data Classification: SecureState Proprietary

10
REASONS NOT TO PERFORM A
PENETRATION TEST
• Consumes your entire security budget
• Lack of resources to address any issues that the
penetration test might discover
• No clear goals defined for the pentest

A penetration test is an excellent way to identify problems,
but on its own it cannot fix them.
Data Classification: SecureState Proprietary

11
SECONDARY BENEFITS
• Incident Response
• Is someone monitoring your assets?
• How do they respond?

• Security Awareness of Users
• Social Engineering
• Phishing, Phone Calls

• Alarms, Guards, and Detection
• Are physical controls sufficient?

Data Classification: SecureState Proprietary

12
WHAT DOES ALL THIS MEAN TO YOU?

Data Classification: SecureState Proprietary

13
PENETRATION TESTS WITHIN YOUR
ORGANIZATION
• Does your organization need a Penetration Test?
• Why does your organization need to do a
Penetration Test?
• What type of Penetration Test do you need?
• What are your goals?
• What is the objective?
• What is the most valuable data on your network?
• Trophies

Data Classification: SecureState Proprietary

14
WHY DOES YOUR ORGANIZATION
NEED A PENETRATION TEST?
• Do you have sensitive data?
•
•
•
•

Credit Card Numbers
Protected Health Information (PHI)
Personally Identifiable Information (PII)
Proprietary Data

• Regulatory requirement?
• Payment Card Industry (PCI or HIPAA)

• Unsure of your defenses?
• Need to obtain budget?
Data Classification: SecureState Proprietary

15
WHAT TYPE OF PENETRATION TEST
DO YOU NEED?
• Several different types:
•
•
•
•
•
•
•

External Network
Social Engineering
Internal Network
Wireless Network
Web Application
Physical Security
Full Scope

Data Classification: SecureState Proprietary

16
EXTERNAL NETWORK
• Simulates a attacker on the Internet
• Passive footprinting
• What network ports are exposed?
• This type of penetration test should
include brute force attacks

• Most common type of penetration test
• Typically done remotely

Data Classification: SecureState Proprietary

17
SOCIAL ENGINEERING
• Targets people, processes and
awareness
•
•
•
•

Phishing
Spear Phishing
Phone Calls
USB/Thumb Drive Drops

• Often paired with other
assessments
Social Engineering attacks typically
have a VERY high success rate.
Data Classification: SecureState Proprietary

18
INTERNAL NETWORK
• Simulates someone gaining access to
your internal network
• Contractor, malicious employee,
backdoor malware

• What internal resources can we
penetrate?
• Critical servers, PCI data, etc.

• Can be paired with wireless and
physical assessments

Data Classification: SecureState Proprietary

19
WIRELESS NETWORK
• Focused on attacking wireless
networks
• Tests encryption strength,
authentication
• How far can someone see the
wireless network?
• Can someone connect from a far
distance?

• War Driving

Data Classification: SecureState Proprietary

20
WEB APPLICATION
• Three types of Web Application Penetration
Tests
• Black Box
• No previous knowledge

• Grey Box
• User credentials provided, user role and business
logic testing

• White Box
• Code review

Data Classification: SecureState Proprietary

21
PHYSICAL SECURITY
• Assess the physical security of a facility
or location
•
•
•
•

Human Safety
Confidentiality
Integrity
Availability

• How can someone access your facility?
• Tailgating, lock picking, alarm bypass
• Social engineering

Data Classification: SecureState Proprietary

22
DETERMINING SCOPE
• A good Penetration Test should focus on
attacking the core business and its processes
• Need to understand how sensitive data
traverses your network
• What it touches
• Where it is stored
• How it is transmitted

• Are there other things that you would like to
assess?
• Secondary considerations

Data Classification: SecureState Proprietary

23
DETERMINING SCOPE
• Regulatory Requirements
• PCI requires all systems on a segment to be tested

• Don’t lose value in what you purchased!
• Limiting scope
• Determine Trophies

Data Classification: SecureState Proprietary

24
OTHER SCOPE CONSIDERATIONS
• Define operational restraints
• Assessment timeframe
• Outside of business hours
• During business hours

• Need to know
• Test of Incident Response
• Notify only those with a business need
• Penetration Testing firm needs to provide IP
addresses and contact information of the consultant
performing the engagement!
• Ask for a Project Charter

Data Classification: SecureState Proprietary

25
WHAT DO YOU DO NOW?

Data Classification: SecureState Proprietary

26
WHAT TO LOOK FOR WHEN
OBTAINING A THIRD PARTY FIRM
•
•
•
•
•
•

Methodology
Tools
Goals
Results
Experience
Certifications

Data Classification: SecureState Proprietary

27
METHODOLOGY
• A penetration test methodology needs to follow:
• Reconnaissance
• Enumeration
• Exploitation
• Post Exploitation
• Pilfering
• Clean up and Reporting

Data Classification: SecureState Proprietary

28
METHODOLOGY
• Reconnaissance
• Initial information gathering
• Non-invasive
• Goal is to learn everything you can about the target

• Enumeration
• Potential vulnerabilities are initially identified
• Can involve the use of vulnerability scanners
• Also involves manual interaction

Data Classification: SecureState Proprietary

29
METHODOLOGY
• Exploitation
• Attempt to exploit vulnerabilities
• Tools like Metasploit, Core Impact could be used
• Typically involves manual work including developing
custom exploit code

• Post Exploitation
• Attempt to leverage exploited vulnerabilities
• Elevating privileges on compromised systems
• Potential for leveraging trust relationships between
systems

Data Classification: SecureState Proprietary

30
METHODOLOGY
• Pilfering
• Attempt to obtain “trophies” and other sensitive data
• Defined in the scope
• Penetration testers use password hashes, encryption
keys and user lists to gain access to data (to name a
few)

• Clean up and Reporting
• The penetration tester should always clean up after
themselves!
• Remove files left by the tester, traces of access
• Reporting is the most important phase!
Data Classification: SecureState Proprietary

31
WARNING SIGNS
• They only plan to use a
vulnerability scanner such as
Nessus
• They only plan to use a
commercial exploitation tool
such as Core Impact or
Canvas
• The report is raw output
from any of these tools

Data Classification: SecureState Proprietary

32
COMMON MISTAKES IN
PENETRATION TESTS
• Limiting the scope of the test
• Making changes while the test is being
performed
• Using under-skilled penetration testers
• Calling a Vulnerability Scan a Penetration Test

Data Classification: SecureState Proprietary

33
VULNERABILITY SCANNERS
• A common misconception is that a pentest is
nothing more than running the Nessus scanner
• A vulnerability scanner casts a very wide net,
and makes a lot of noise
• Penetration tests are focused, and often quiet
• Many penetration testers don’t use a
vulnerability scanner at all during their testing

Data Classification: SecureState Proprietary

34
WHY A VULNERABILITY SCANNER IS
NOT ENOUGH
• Does not identify dangerous trust relationships
between components
• Vulnerability scans contain false positives
• Not an accurate picture of security
• If PCI is a concern, both pentesting and
Vulnerability Scans are needed for a Report on
Compliance
• Attackers will take advantage of chained
vulnerabilities to obtain access
• Vulnerability Linkage

Data Classification: SecureState Proprietary

35
CHAINED VULNERABILITIES
• It’s not uncommon for several lower severity
vulnerabilities to be chained together to allow an
attacker to compromise something of high value
• Demonstrating where this can be done is one of
the most valuable things a pentest can provide
you
• The Penetration Testing firm needs to provide
detailed explanation of any of these situations

Data Classification: SecureState Proprietary

36
WHAT IS A “GOOD”
PENETRATION TEST
• Covers all relevant attack vectors not defined by
IP ranges
• Should be goal based
• Clearly shows vulnerable assets that can be
compromised
• Tests the system as a whole, including existing
defense mechanisms
• Your goals and objectives
• Definitive end to the project

Data Classification: SecureState Proprietary

37
RESULTS
• Output typically includes some kind of report
• Should not only be raw data or tool report
• Discusses high level and detailed findings
• Needs an Executive Summary!

• Ask for information on all of the vulnerabilities that
were found
• If the penetration tester got to a trophy, you want to
know exactly how they got there.
• Usually a chain of several vulnerabilities

• Penetration Tester should provide screen shots, tool
logs and other data upon request

Data Classification: SecureState Proprietary

38
RESULTS: NEXT STEPS
• After the Penetration Test has been completed,
the organization will have a better
understanding of the areas that need to be
hardened within the infrastructure
• Mitigate the high risk vulnerabilities to lower
your chances of a breach
• Follow security principles (defense in depth) to
improve security after remediation

Data Classification: SecureState Proprietary

39
EXPERIENCE
• Assessing the skills and experience of a
penetration testing firm can be difficult, a few
items to look for:
• How long have they been doing penetration testing?
• Have they written any pentesting tools?
• Have they presented on pentesting at large pentest
events (SANS, DEFCON, Shmoocon, BlackHat,
DerbyCon)?
• Do they have any pentest certifications (OSCP, GPEN,
GWAPT)?
• Some certifications like CEH are less credible!

Data Classification: SecureState Proprietary

40
CERTIFICATIONS
• OSCP (Offensive Security Certified
Professional)
• Most technical, most challenging penetration testing
certification

• SANS GPEN (GIAC Certified Penetration
Tester)
• Covers methodology and reporting in addition to
hands on technical skills

Data Classification: SecureState Proprietary

41
CERTIFICATIONS
• SANS GWAPT (GIAC Web Application
Penetration Tester)
• Similar to GPEN, but focuses on web apps

• Social-Engineer, Inc. – Social Engineering
Pentest Professional (SEPP)
• Up and coming certification for Social Engineering,
highly respected in the security community

Data Classification: SecureState Proprietary

42
CERTIFICATIONS
• CISSP, CISA, CCIE Security, Security+, or the
many other SANS certs are helpful
• However, these other certifications are not meant
to certify the individual as a penetration tester

You don’t hire an OSCP to do a PCI audit,
and you don’t hire a QSA to do a pentest

Data Classification: SecureState Proprietary

43
PCI CONSIDERATIONS
• PCI DSS 3.0 is modifying requirements for
Penetration Testing
• Verification of methodology based on industry
accepted best practices
• Validates segmentation and scope reduction controls
• Includes review and consideration of threats and
vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and
remediation activities results
• Vulnerabilities are corrected and testing repeated

Data Classification: SecureState Proprietary

44
WORKSHEET
• We have provided a worksheet which covers
some of the criteria discussed
• Feel free to use this when you find yourself
dealing with penetration testers and firms that
offer penetration testing
• A copy can be found online as well at
http://engage.securestate.com/pentestassessment-worksheet
Data Classification: SecureState Proprietary

45
QUESTIONS?

Data Classification: SecureState Proprietary

46
CONTACT INFO
Thank you for your time!

Tom Eston- teston@securestate.com
Twitter: agent0x0
Jason Broz- jbroz@securestate.com
Twitter: jbroz67

Data Classification: SecureState Proprietary

47

More Related Content

What's hot

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderEC-Council
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicTripwire
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!ThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysisinder_barara
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...Bishop Fox
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 

What's hot (20)

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware Epidemic
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...	 InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
InfoSec World 2016 – RFIDiggity – Pentester Guide to Hacking HF/NFC and UHF...
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 

Similar to Assessing a pen tester: Making the right choice when choosing a third party Pen Test Firm

Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 
Cyber security series vulnerability assessments
Cyber security series   vulnerability assessmentsCyber security series   vulnerability assessments
Cyber security series vulnerability assessmentsJim Kaplan CIA CFE
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Penentration testing
Penentration testingPenentration testing
Penentration testingtahreemsaleem
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15Benjamin D. Brooks, CISSP
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 

Similar to Assessing a pen tester: Making the right choice when choosing a third party Pen Test Firm (20)

Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Cyber security series vulnerability assessments
Cyber security series   vulnerability assessmentsCyber security series   vulnerability assessments
Cyber security series vulnerability assessments
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Penentration testing
Penentration testingPenentration testing
Penentration testing
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM i
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
Goans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech LibraryGoans-Helms-IT Security at Georgia Tech Library
Goans-Helms-IT Security at Georgia Tech Library
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 

Recently uploaded

PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBBPMedia1
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfSourav Sikder
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 

Recently uploaded (20)

PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John MeulemansBCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
BCE24 | Virtual Brand Ambassadors: Making Brands Personal - John Meulemans
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 

Assessing a pen tester: Making the right choice when choosing a third party Pen Test Firm

  • 1. P RESENTATION Tom Eston, CISSP, GWAPT Jason Broz, CIPP/US Assessing a Pen tester: Making the right choice when selecting a third party firm 2/12/2014
  • 2. WEBINAR PRESENTERS • • • • • • Tom Eston, CISSP, GWAPT Manager, Attack and Defense Team Founder SocialMediaSecurity.com OWASP Contributor SANS Community Instructor International Speaker • DEFCON, Black Hat USA/Abu Dhabi and many others • Jason Broz, CIPP/US • Audit and Compliance Consultant • Previous Positions include • • IT for a Fortune 1000 company Management and Sales • Member of IAPP and ISACA Data Classification: SecureState Proprietary 2
  • 3. WEBINAR GOALS • Help you better understand Penetration Testing goals and objectives • Provide clarity on differences • Elaborate upon differences within the industry • Answer questions in regard to decision making Data Classification: SecureState Proprietary 3
  • 4. QUICK POLL • • • • Who has recommended a pentest? Who has purchased a pentest? Who has performed a pentest? Who has had to deal with the results from a pentest? – Who has seen bad report? Data Classification: SecureState Proprietary 4
  • 5. WHAT IS A PENETRATION TEST? Data Classification: SecureState Proprietary 5
  • 6. WHAT IS PENETRATION TESTING? • Method of evaluating the security of: o Computer systems o Network Devices o Web Applications o Physical Buildings and Infrastructure • Simulates an intrusive attack by a malicious attacker “Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers” ~NIST 800-115, http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf Data Classification: SecureState Proprietary 6
  • 7. KEY COMPONENTS OF PENETRATION TESTING • • • • • • Established methodology Attack Vectors Scope established Trophies or Goals identified Manual methods used in addition to tools Team based Data Classification: SecureState Proprietary 7
  • 8. MOST COMMON PENETRATION TESTING METHODOLOGIES • Penetration Testing firms should follow one or more of the following methodologies: • PTES (Penetration Testing Execution Standard) • NIST 800-115 • OSSTMM (Open Source Security Testing Methodology Manual) • OWASP Testing Guide (Open Web Application Security Project) Data Classification: SecureState Proprietary 8
  • 9. PENETRATION TESTS ARE NOT • Vulnerability Assessments • Simply running an automated tool (e.g., Nessus) • Manual review of security “controls” • This is an Audit From a cost perspective, a pentest will cost significantly more than a Vulnerability Assessment because of the manual testing involved. Data Classification: SecureState Proprietary 9
  • 10. REASONS FOR PERFORMING A PENETRATION TEST • Compliance requirement (PCI) • Told to perform a Penetration Test by management • Identification of vulnerabilities in your network that can be exploited • How difficult would it be for a hacker to compromise valuable data? • Are your defenses working? Test of Incident Response and Monitoring systems. • Need budget to resolve issues and build the security program Data Classification: SecureState Proprietary 10
  • 11. REASONS NOT TO PERFORM A PENETRATION TEST • Consumes your entire security budget • Lack of resources to address any issues that the penetration test might discover • No clear goals defined for the pentest A penetration test is an excellent way to identify problems, but on its own it cannot fix them. Data Classification: SecureState Proprietary 11
  • 12. SECONDARY BENEFITS • Incident Response • Is someone monitoring your assets? • How do they respond? • Security Awareness of Users • Social Engineering • Phishing, Phone Calls • Alarms, Guards, and Detection • Are physical controls sufficient? Data Classification: SecureState Proprietary 12
  • 13. WHAT DOES ALL THIS MEAN TO YOU? Data Classification: SecureState Proprietary 13
  • 14. PENETRATION TESTS WITHIN YOUR ORGANIZATION • Does your organization need a Penetration Test? • Why does your organization need to do a Penetration Test? • What type of Penetration Test do you need? • What are your goals? • What is the objective? • What is the most valuable data on your network? • Trophies Data Classification: SecureState Proprietary 14
  • 15. WHY DOES YOUR ORGANIZATION NEED A PENETRATION TEST? • Do you have sensitive data? • • • • Credit Card Numbers Protected Health Information (PHI) Personally Identifiable Information (PII) Proprietary Data • Regulatory requirement? • Payment Card Industry (PCI or HIPAA) • Unsure of your defenses? • Need to obtain budget? Data Classification: SecureState Proprietary 15
  • 16. WHAT TYPE OF PENETRATION TEST DO YOU NEED? • Several different types: • • • • • • • External Network Social Engineering Internal Network Wireless Network Web Application Physical Security Full Scope Data Classification: SecureState Proprietary 16
  • 17. EXTERNAL NETWORK • Simulates a attacker on the Internet • Passive footprinting • What network ports are exposed? • This type of penetration test should include brute force attacks • Most common type of penetration test • Typically done remotely Data Classification: SecureState Proprietary 17
  • 18. SOCIAL ENGINEERING • Targets people, processes and awareness • • • • Phishing Spear Phishing Phone Calls USB/Thumb Drive Drops • Often paired with other assessments Social Engineering attacks typically have a VERY high success rate. Data Classification: SecureState Proprietary 18
  • 19. INTERNAL NETWORK • Simulates someone gaining access to your internal network • Contractor, malicious employee, backdoor malware • What internal resources can we penetrate? • Critical servers, PCI data, etc. • Can be paired with wireless and physical assessments Data Classification: SecureState Proprietary 19
  • 20. WIRELESS NETWORK • Focused on attacking wireless networks • Tests encryption strength, authentication • How far can someone see the wireless network? • Can someone connect from a far distance? • War Driving Data Classification: SecureState Proprietary 20
  • 21. WEB APPLICATION • Three types of Web Application Penetration Tests • Black Box • No previous knowledge • Grey Box • User credentials provided, user role and business logic testing • White Box • Code review Data Classification: SecureState Proprietary 21
  • 22. PHYSICAL SECURITY • Assess the physical security of a facility or location • • • • Human Safety Confidentiality Integrity Availability • How can someone access your facility? • Tailgating, lock picking, alarm bypass • Social engineering Data Classification: SecureState Proprietary 22
  • 23. DETERMINING SCOPE • A good Penetration Test should focus on attacking the core business and its processes • Need to understand how sensitive data traverses your network • What it touches • Where it is stored • How it is transmitted • Are there other things that you would like to assess? • Secondary considerations Data Classification: SecureState Proprietary 23
  • 24. DETERMINING SCOPE • Regulatory Requirements • PCI requires all systems on a segment to be tested • Don’t lose value in what you purchased! • Limiting scope • Determine Trophies Data Classification: SecureState Proprietary 24
  • 25. OTHER SCOPE CONSIDERATIONS • Define operational restraints • Assessment timeframe • Outside of business hours • During business hours • Need to know • Test of Incident Response • Notify only those with a business need • Penetration Testing firm needs to provide IP addresses and contact information of the consultant performing the engagement! • Ask for a Project Charter Data Classification: SecureState Proprietary 25
  • 26. WHAT DO YOU DO NOW? Data Classification: SecureState Proprietary 26
  • 27. WHAT TO LOOK FOR WHEN OBTAINING A THIRD PARTY FIRM • • • • • • Methodology Tools Goals Results Experience Certifications Data Classification: SecureState Proprietary 27
  • 28. METHODOLOGY • A penetration test methodology needs to follow: • Reconnaissance • Enumeration • Exploitation • Post Exploitation • Pilfering • Clean up and Reporting Data Classification: SecureState Proprietary 28
  • 29. METHODOLOGY • Reconnaissance • Initial information gathering • Non-invasive • Goal is to learn everything you can about the target • Enumeration • Potential vulnerabilities are initially identified • Can involve the use of vulnerability scanners • Also involves manual interaction Data Classification: SecureState Proprietary 29
  • 30. METHODOLOGY • Exploitation • Attempt to exploit vulnerabilities • Tools like Metasploit, Core Impact could be used • Typically involves manual work including developing custom exploit code • Post Exploitation • Attempt to leverage exploited vulnerabilities • Elevating privileges on compromised systems • Potential for leveraging trust relationships between systems Data Classification: SecureState Proprietary 30
  • 31. METHODOLOGY • Pilfering • Attempt to obtain “trophies” and other sensitive data • Defined in the scope • Penetration testers use password hashes, encryption keys and user lists to gain access to data (to name a few) • Clean up and Reporting • The penetration tester should always clean up after themselves! • Remove files left by the tester, traces of access • Reporting is the most important phase! Data Classification: SecureState Proprietary 31
  • 32. WARNING SIGNS • They only plan to use a vulnerability scanner such as Nessus • They only plan to use a commercial exploitation tool such as Core Impact or Canvas • The report is raw output from any of these tools Data Classification: SecureState Proprietary 32
  • 33. COMMON MISTAKES IN PENETRATION TESTS • Limiting the scope of the test • Making changes while the test is being performed • Using under-skilled penetration testers • Calling a Vulnerability Scan a Penetration Test Data Classification: SecureState Proprietary 33
  • 34. VULNERABILITY SCANNERS • A common misconception is that a pentest is nothing more than running the Nessus scanner • A vulnerability scanner casts a very wide net, and makes a lot of noise • Penetration tests are focused, and often quiet • Many penetration testers don’t use a vulnerability scanner at all during their testing Data Classification: SecureState Proprietary 34
  • 35. WHY A VULNERABILITY SCANNER IS NOT ENOUGH • Does not identify dangerous trust relationships between components • Vulnerability scans contain false positives • Not an accurate picture of security • If PCI is a concern, both pentesting and Vulnerability Scans are needed for a Report on Compliance • Attackers will take advantage of chained vulnerabilities to obtain access • Vulnerability Linkage Data Classification: SecureState Proprietary 35
  • 36. CHAINED VULNERABILITIES • It’s not uncommon for several lower severity vulnerabilities to be chained together to allow an attacker to compromise something of high value • Demonstrating where this can be done is one of the most valuable things a pentest can provide you • The Penetration Testing firm needs to provide detailed explanation of any of these situations Data Classification: SecureState Proprietary 36
  • 37. WHAT IS A “GOOD” PENETRATION TEST • Covers all relevant attack vectors not defined by IP ranges • Should be goal based • Clearly shows vulnerable assets that can be compromised • Tests the system as a whole, including existing defense mechanisms • Your goals and objectives • Definitive end to the project Data Classification: SecureState Proprietary 37
  • 38. RESULTS • Output typically includes some kind of report • Should not only be raw data or tool report • Discusses high level and detailed findings • Needs an Executive Summary! • Ask for information on all of the vulnerabilities that were found • If the penetration tester got to a trophy, you want to know exactly how they got there. • Usually a chain of several vulnerabilities • Penetration Tester should provide screen shots, tool logs and other data upon request Data Classification: SecureState Proprietary 38
  • 39. RESULTS: NEXT STEPS • After the Penetration Test has been completed, the organization will have a better understanding of the areas that need to be hardened within the infrastructure • Mitigate the high risk vulnerabilities to lower your chances of a breach • Follow security principles (defense in depth) to improve security after remediation Data Classification: SecureState Proprietary 39
  • 40. EXPERIENCE • Assessing the skills and experience of a penetration testing firm can be difficult, a few items to look for: • How long have they been doing penetration testing? • Have they written any pentesting tools? • Have they presented on pentesting at large pentest events (SANS, DEFCON, Shmoocon, BlackHat, DerbyCon)? • Do they have any pentest certifications (OSCP, GPEN, GWAPT)? • Some certifications like CEH are less credible! Data Classification: SecureState Proprietary 40
  • 41. CERTIFICATIONS • OSCP (Offensive Security Certified Professional) • Most technical, most challenging penetration testing certification • SANS GPEN (GIAC Certified Penetration Tester) • Covers methodology and reporting in addition to hands on technical skills Data Classification: SecureState Proprietary 41
  • 42. CERTIFICATIONS • SANS GWAPT (GIAC Web Application Penetration Tester) • Similar to GPEN, but focuses on web apps • Social-Engineer, Inc. – Social Engineering Pentest Professional (SEPP) • Up and coming certification for Social Engineering, highly respected in the security community Data Classification: SecureState Proprietary 42
  • 43. CERTIFICATIONS • CISSP, CISA, CCIE Security, Security+, or the many other SANS certs are helpful • However, these other certifications are not meant to certify the individual as a penetration tester You don’t hire an OSCP to do a PCI audit, and you don’t hire a QSA to do a pentest Data Classification: SecureState Proprietary 43
  • 44. PCI CONSIDERATIONS • PCI DSS 3.0 is modifying requirements for Penetration Testing • Verification of methodology based on industry accepted best practices • Validates segmentation and scope reduction controls • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months • Specifies retention of penetration testing results and remediation activities results • Vulnerabilities are corrected and testing repeated Data Classification: SecureState Proprietary 44
  • 45. WORKSHEET • We have provided a worksheet which covers some of the criteria discussed • Feel free to use this when you find yourself dealing with penetration testers and firms that offer penetration testing • A copy can be found online as well at http://engage.securestate.com/pentestassessment-worksheet Data Classification: SecureState Proprietary 45
  • 47. CONTACT INFO Thank you for your time! Tom Eston- teston@securestate.com Twitter: agent0x0 Jason Broz- jbroz@securestate.com Twitter: jbroz67 Data Classification: SecureState Proprietary 47

Editor's Notes

  1. Penetration testing is something virtually everyone in the security industry deals with in some wayPen Testing is something that is often misunderstood by both customers and vendors goal is to provide you with clarity on the differences between companies that will help you differentiate solid pen testers from less effective companiesElaborate upon differences within the industry Answer the questions in regard and assist you when choosing the third party firm that will best align with your organizational goals
  2. According to National Institute of Standards and TechnologyEssentially, it is a proactive approach to evaluate technical controls in place
  3. We will delve into these in a bit, however from a high level main components of Penetration include:Established Methodology- this is the process of the pentest. There are several methods that can be used including NIST, PTES, OSSTMM, ISSAFAttack Vectors- what approach is going to be taken, what is going to be ‘attacked’Scope- what is in scope for the test? PCI data, PHI? Trophies established- what are the hackers trying to obtain; what has the biggest impact on businessManual methods are employed in addition to tools Penetration testing should be a team based effort, no one individual is smarter than the collective.
  4. Vulnerability Assessment identifies potential vulnerabilitiesPenetration Test identifies vulnerabilities andactively attempts to exploit vulnerabilitiesThese two are confused a lot. It’s not uncommon for a vendor to provide something they describe as a Penetration Test, which is in fact a Vulnerability AssessmentAmanual review of security controls is simply that, a review of what is in place.
  5. There are several reason for performing a pentestCompliance Advised that it would be a good ideaHeard that several other companies were doing this or read it in a magazineCuriosity- see PowerPointShock and Awe mentality- need budget
  6. There are definitely reasons not to perform a pentestIf your entire budget is consumed by performing a pentest, you have do resources left to fix the problemsYou do not have sufficient resources to fix the problems- since budget was already addressed this would focus on knowledge and time- although is lack of resources really a reason if you are breached? If you don’t have clear goals in mind- including trophies and scope
  7. Incident Response- couple the pentest with in IR test to see if the plan is effective and if employees know what to doSecurity Awareness- Are your employees aware? Are the apathetic? Skeptical?Alarms, guards, detection- Do you have the proper controls in place in the right areas? Does it work? This includes fencing, guards, cameras, access controls etc.
  8. Overall pentesting is an Industry Best Practice and generally a good idea but the idea and process can raise more questions than provide answerswhat does it all mean to you? How do you apply this to your organization? What does it all mean? Where do I start?
  9. Firstly, you need to understand how pentesting fits into your overall security. Do you even need a pentest? Do you have the resources to address potential issues? If you need a pentest, Why? What type of pentest do I need? If I were to engage a company to perform a pentest, what are my goals? Objectives- What type of data do I have? What would I want to ensure is protected?
  10. Why does your organization need a pentest? Do you have Sensitive Data?Compliance?Do you need to show operationally focused executives who do not understand security or see security as a hindrance that you have vulnerabilities and need money to address them?
  11. Within the realm of pentests you need to determine what type of Penetration Test is most suitable for your organization.
  12. External Network pentests simulate an attacker coming into your network from the outside. There are a variety of techniques used in this type of attack. This is the most common type and is typically performed remotelyThis is a combination of passive and active attacks used to exploit weaknesses that potentially exist in your network. Some of this information can also be used to perform a Social Engineering attack
  13. Social Engineering attacks focus on the natural human characteristic of helpfulnessTests employee awareness- can take many forms and customized to your environmentphishing- mass email to gain user credentialsSpearphishing- targeted email (usually at high level executives or key personnel) Personal componentShoulder surfing- looking over another's shoulder to gain information- think nosy neighborVERY high success rate!!!
  14. Internal Penetration test is meant to simulate an internal rogue threat. Disgruntled or malicious employee or contractorInstallation of a rogue access pointTypically done on site
  15. Do you have wireless networks?Are they segmented?Do you have sensitive information traversing your wireless network?Can someone connect to your network in a car down the street?
  16. Do you have a web application? These tests assess the security of those applications and test their securityThis is a huge attack vector with a large area for concern.
  17. You have taken the necessary steps to logically protect your data, but what about physical access? Have you taken measures to ensure that individuals cannot gain physical access?
  18. You now understand that you need to do a pentest, why you need to do a pentest, now you need to determine what the scope of the assessment will be. The next few slides will cover what things that should be considered before you jump out and hire a someone to perform a pentest. Are there other areas that you need to consider testing? Security Awareness or Incident Response?
  19. Do you need to meet regulatory requirements?You are spending good money on a pentest, don’t lose value by limiting scope to test systems or systems that you have recently scrambled to harden just to make sure that a pentester won’t break in. Doing so will diminish the value of the assessmentAlso not determining trophies or defining a goal will cause you to lose value.
  20. Do you have operational constraints?Let your pentesting Company know up front and why you need to do so.Are you a hospital where activity is high during the day where availability and integrity are paramount? Do it off hoursAre you also in need or wish to test your IR program? Doing this can meet several business and security objectives.Limit testing of systems to those that have a business need. An internal office memo telling everyone that you are doing a pentest isn’t the best idea if this is the case, but also for security reasons. In the real world an attacker won’t let you know that they are intending to attack.
  21. At this point, you have all your ducks in a row, it’s time to look for a someone to perform the pentest
  22. When looking for a third party there are several things to consider. We will cover these items over these items as well as warning signs, and other a few last things to consider.
  23. Typical pentest process follows the basic categories.
  24. There are several warning signs that should raise red flags and set off the sirens. They include: see slides.
  25. Are you sure that your entire environment has been included? What about your wireless network that moves PHI? Have you included test systems? Making changes while a test is being performed is not recommended. That “quick fix” over here could unintentionally impact a system that was already tested over there.There is a fine art to pentesting and it is understandable that everyone has to start somewhere, but they should have the necessary resources available to ensure that areas have not been overlooked. There are distinct differences between a pentest and a Vulnerability Scan. In the next few slides we will highlight some of those differences.
  26. PCI is focusing on Penetration testing and results to include methodology and approach as well as validation around segmentation and scope reduction controls. See slides.