Thursday, September 5, 2019
Penetration Testing Scope
Penetration Testing Scope The main objective of this document is to provide the readers a view on importance of Penetration test in network security and how it will overcome the network security issues and how organizations are determining their security weaknesses in their network infrastructures. With the help of this document, readers can obtain knowledge about advantages, strategies, types, tools and techniques of the penetration testing. Introduction: Penetration testing method is one of the oldest network security techniques for evaluating the securities of a network system. Penetration testing method used by Department of Defence in early 1970s to determine the security weaknesses in computer system and to initiate the development of programs to create more secure system. Using penetration testing, organization can fix their security weaknesses before they get unprotected. Many companies are using this method because penetration testing will provide proper security information systems and services to the organizations network systems. Organization can reduce risk in their network system using penetration testing tools and techniques. The main objective of the penetration testing is to evaluate the security weaknesses of the organizations network systems. Penetration testing has more secondary objectives and that will help the organization to identify their security incidents and also test the security awareness of the employees. Scope and Goals of the Penetration Testing: Identifying gaps in security: Organization can identify the gap of the system security and company can develop an action plan to reduce the threat with the help of penetration test. Help to create strong business case: A penetration test result document will help the manager to create a strong business case to produce the security message at the implementation stage. To discover new threats: Penetration testing measures will help the organization to find the new threats. To focus on internal security resources: A Penetration test and its security analysis allow the organization to focus internal security resources. To meet regulatory compliances: Organization can meet their regulatory compliances using penetration testing tools. To find weakest link: Penetration test and security audit will assist the firm to find the weakest link in their intricate structure and it will provide baseline security for all typical entities. Provide validation feedback: Penetration test deliver validation feedback to business entities and security framework that lead the organization to reduce the risk in the implementation. Phases of the Penetration Test: Discovery Planning Attack Reporting Additional Discovery Planning Phase: Scope of the test will be defined in planning phase. In this phase, testing team will get the approvals, documents and agreements like NDA (Non-Disclosure Agreement) and they will set the baseline for effective penetration test after that documents are signed. Penetration test team will get certain input from existing security plan, industry standards and best practices while defining their scope for the test. No real testing activity happens in the planning stage. Factor influencing the successful Penetration test: Time: Legal restriction: Discovery Phase: The real testing activity will start from this phase. In this stage, they used to identify the potential target using network scanning and to gather information using port scanning and other techniques. Vulnerability is the second part of this discovery phase. In this stage, application, operating system and services are equated against vulnerability database. Normally human testers use their own database or public database to find vulnerabilities manually. Compare with automated testing, manual testing is better way to identify the new vulnerabilities but this type of testing is time consuming unlike automated testing. This Phase can be further Characterized as: Footprinting Phase Canning and Enumeration Phase Vulnerability Analysis Phase Footprinting Phase: The process of footprinting is a completely non-disturbing activity executed to get information available about the target organization and its system using various resources, both technical and non-technical. This process includes probing the internet, querying various public repositories (Database, Domain registrar, Usenet groups and mailing list). In this phase, penetration tester will gather significant information and confidential data through internet without probing the target system. Penetration tester will conduct the social engineering attacks for that they will collect valuable information like IT setup details, e-mail address of the company, device configuration and username and password. In this phase, penetration tester tries to find various loopholes and try to explore data leakage about the target organization in shortest time period. Mostly procedure of this phase can be automated using customized script and small programs. Scanning and Enumeration: The scanning and enumeration phase includes lot of activity like identifying the live system, open / filtered ports found, service running on these ports, identifying the operating system details, network path discovery, mapping router / firewall rules, etc. Penetration tester must be careful while using the tools for these activities because they should not overwhelm the target systems with extreme traffic. Before going into live scenario, successive phase should be tested completely in a testing environment. Types of Port Scanner: Nmap SuperScan Hping Services should be fingerprinted either manually or using existing tools after successfully identifying the open ports. Penetration tester will provide exact name and version of the services which running on the target system and the underlying Operating system before including these in the final report. Also this will help to identifying and removing numerous false positive found later. Existing Fingerprint Tools: Xprobe2 Queso Nmap Amap Winfingerprint P0f Httprint Vulnerability Analysis: In this stage, penetration tester will try to identify possible vulnerabilities existing in each target system after identifying the target systems and collecting required details from the previous phase. During this stage penetration tester may use automated tools to find the vulnerabilities in the target systems. These tools have their own record containing of latest vulnerabilities and their details. In vulnerability analysis stage, penetration tester will test the systems by giving invalid inputs, random strings, etc. to check for any errors or unintended behaviour in the systems output. Penetration tester should not depend only on his experience because a successful penetration tester should be up to date with latest security related activities and join with security related mailing-lists, security blogs, advisories, etc. to keep him updated to the latest vulnerabilities. Types of Vulnerability Scanners: Nessus Shadow Security Scanner Retina ISS Scanner SARA GFI LANguard Attack Phase: Attack phase is a vital stage in penetration testing, the most challenging and interesting phase for the penetration tester. This Phase can be further Characterized as: Exploitation Phase Privilege Escalation Phase Exploitation Phase: In this phase, penetration tested will try to identify activities for the various vulnerabilities found in the previous stage. Penetration tester can get more resources from internets that provide proof-of-conception exploits for most of the vulnerabilities. In exploitation stage, all exploit should be tested thoroughly before going for a real implementation. If any vulnerabilities critical system not exploited then penetration tester should give sufficient documented proof-of-concepts about the impact of the vulnerability on the organizations business. Exploitation Frameworks: Metasploit Project Core Security Technologys Impact Immunitys CANVAS Instead of running exploitation, penetration tester need to use the full potential framework to reduce the time in writing custom exploits. Gaining Access Discovery Phase Rising Privilege System Surfing Install Add Test Software Enough data has been Gathered in the discovery phase to make an attempt to Access the target. If only user-level access was obtained in the last step, the tester will now seek to gain complete control of the system. The information gathering process begins again to identify mechanism to gain access to trusted system. Additional presentation testing software is installed to gain additional information and/or access. Attack Phase Step with Look back to Discovery Phase Privilege Escalation: In this stage, penetration tester will make further analysis to get more information that will help to getting administrative privileges. Before continuing further process, penetration tester should get the prior permission from the target organization. Penetration tester will maintain his all activity report because in the reporting stage that will be the proof for all the activities completed. Tester may install additional software for higher level of privilege. Reporting Phase: Reporting stage is the last phase in the penetration test methodology. Reporting phase will parlay occurred with other three stages or it will happen after attack phase. This reporting phase is very vital stage and this this report will cover both management and technical aspects, provide detailed information about all findings, figures with proper graphs. Penetration tester will provide suitable presentation of the vulnerabilities and its impact to the business of the target organization. Final document will be detailed and it will provide technical description of the vulnerabilities. Penetration tester should meet the client requirement in the documents also document should be detailed and that will show the ability of the successful penetration tester. Report Consist of: Executive Summary Detailed Findings Risk level of the Vulnerabilities found Business Impact Recommendations Conclusion Penetration Testing Strategy: External Testing Strategy: In this strategy, process made from outside the organizations system to refers attack on the organizations network border, this may be through Internet or Extranet. External testing strategy will start with clients publically accessible information. Naturally the External testing approach will executed with non-disclosure or fully disclosure environment. This test will target the organizations externally visible server or device like Domain Name Server (DNS), Firewall and E-mail server. Internal Testing Strategy: Internal testing approach executed from inside the organizations technology environment. The focuses of the internal testing strategy is to know what could occur if the network border were penetrated effectively or what an authorized user could do to penetrate specific information resources inside the organizations network. Both type of testing techniques are similar but the result of both tests will vary prominently. Blind Testing Strategy: Blind testing approach targets at pretending the activities and processes of a real hacker. In this approach, testing team will provide limited information about organizations systems configuration. The penetration testing team gather information about the target to conduct its penetration test using publically available information like company web-site, domain name registry, internet discussion board and USENET. This testing approach can provide lot of information about the organization but this method of testing is very time consuming. Double Blind Testing Strategy: This testing strategy is an extension of blind testing approach. In this testing approach, IT and security staff of the organization will not informed earlier and are blind to the strategic testing activities. Double blind testing strategy is a vital component of testing because it can test the organizations security monitoring and incident identification, escalating and response procedure. The main objective of this testing approach is only few people from the organization will aware of this testing activity. Once the objective of the test has been achieved then project manager will terminate the response procedure of the organization and testing procedures. Targeted Testing Strategy: Another name of this testing strategy is lights-turned-on approach. In this testing approach, both organizations IT staff and penetration testing team involve in this testing activities. In this test, there will be a clear understanding of testing actions and information about the target and network design. Targeted testing approach is very cost effective because this test mainly focused on technical setting or design of the network. This test can executed in less time and effort unlike blind test but this approach will not give clear picture of an organizations vulnerabilities and response capabilities. Types of Penetration testing There are many type of penetration test available to test the network security of an organization. But type of penetration test may depend upon the organizations needs to test their network. Black-box Testing: White-box Testing: DOS (Denial Of Service): This type of testing tries to identify the weaknesses on the system through exhausting the targets resources because it will stop responding to legal request. Denial of service testing can perform on both manually and automated tools. This test is classified into two types such as software exploits and flooding attacks. The level of this test depending upon the penetration tests information system and related resources. There are more formats in this test such as: Application Security Testing: Application security testing will protect the confidentiality and reliability of information using applications encryption and objective of this testing is to assess the control over the applications (Electronic commerce server, on-line financial applications, distributed applications and internet front ends to legacy systems) and its process flow. Components of Application Security Testing: Code Review: In this type of testing, analysing the code of the application because it should not contain the sensitive data. Authorization Testing: Authorization testing includes Analysing the system initiation and maintenance of the user sessions like Input validation of login fields, Cookies security and lockout testing. Functionality Testing: Functionality testing involves testing the functionality of the application such as input validation and transaction testing as presented to a user. War Dialling: Tools for Penetration Testing: Reconnaissance Tools: Nmap (Network Mapper): Network mapper (Nmap) is a powerful port scan tool and its a part of reconnaissance tools of penetration testing. Network mapper has ability to regulate the operating system of the target system. Network mapper maintains a database for the target computer to find its operating systems resospnse3. Network mapper is a permitted product for network security review. Network mapper was intended to quickly scan big network but it will work fine against single network. Network mapper is compatible with all major operating system like Windows, Linux and MAC operating system.2. Features of the Network mapper (Nmap) Flexible Nmap will support different advanced techniques for mapping out networks such as firewalls, IP filters and other obstacles. This tool also contains port scanners mechanism (TCP UDP), version detection, version detection, Prevailing Portable Easy Free Well documented Supported Acclaimed Popular http://www.computerworld.com/s/article/9087439/Five_free_pen_testing_tools http://nmap.org/ http://www.sans.org/reading_room/analysts_program/PenetrationTesting_June06.pdf https://buildsecurityin.us-cert.gov/bsi/articles/tools/penetration/657-BSI.html Nessus Nessus is a vulnerability assessment tool and its free domain software released by GPLS. This tool is intended to identify the security problem. Nessus helps the management people to rectify the security problem before exploitation. Client server technology is very powerful features of Nessus. Penetration tester can test from various point of the server because Different server technology placed in various place. It can control the entire server using multiple distributed clients or central client. This tool is very flexible for penetration tester because it can run on different operating system like MAC OS X and IBM/AIX but most of the server portion will run on UNIX. Features of the Nessus: Up-to-date security vulnerability Database Nessus tool will check the database regularly and Nessus can receive with the command Nessus-update-plugins. This tool will monitor all the plugins data. Remote and Local security Nessus has the ability to detect the remote faults of the host in a network and also it will remove local flaws and omitted areas. Scalable Nessus is very scalable because it can run on a computer with low memory. If we give more power to this tool then it can scan our system quickly. Plug-Ins Every security test will be written in NASL; also its printed as an exterior plugin. For updating the Nessus, it will not download binaries from internet and to understand the result of the Nessus report, every NASL can be read and modified. NASL (Nessus Attack Scripting Language) The Nessus security Scanner contain NASL, its a designed language to inscribe security test easily and quickly. NASL run in a controlled environment on top of a virtual device, this will make the Nessus a very secure scanner. Smart Service Recognition with Multiple Services Nessus tool helps to recognize the FTP server which running in an unidentified port. This is the first tool to hold this facility. If the host runs the similar services twice or more then Nessus can scan all of them. Full SSL Support and Non-Destructive This tool has the ability to scan SSL services like https, imaps, smtps and more. Nessus tool can integrate with PKI field environment. Nessus is the first scanning tool has this feature. Nessus tool will give more option to the tester to perform a regular non-destructive security audit. Packet Manipulation and Password Cracking Tools Exploitation Tools Metasploit Version Metasploit framework is both penetration testing system and a development platform for creating security tools and techniques. Metasploit framework comprises of tools, modules, libraries and user interfaces. Metasploit framework used to network security and network security professionals will use this framework to conduct penetration test, system administrators to verify the patch connection, to perform regression testing by product vendors, and security researcher world-wide. This tool offers valuable information and tools for penetration tester security researcher. Metasploit framework written in Ruby programming language and contains components written in C and assembler. The basic function of this tool is a Module launcher, allow the user to organize the exploit module and launch the module at target system. Metasploit is very user friendly to the penetration tester to conduct the test and it will give full network penetration testing capabilities. Metasploit is an open source framework and largest combined public databank of exploits. Security Forest exploitation Framework Limitations of Penetration Testing: Penetration testing will not identify all vulnerabilities because normally this test will carried out as Black Box exercises. Penetration test will not provide information about new vulnerabilities those weaknesses identified after the test. Penetration tester will not have sufficient information about the system. Compare with vulnerability assessments, penetration test is not the correct way to identify the weaknesses because vulnerability assessments can identify more issue than penetration testing using diagnostic review of all systems and all servers. Penetration test does not have that much time to evaluate and identify the vulnerabilities and penetration testing is a snapshot for an organization and its network security. Conclusion: Scope of the penetration testing should be increased. Time period of penetration testing is very limited. Time limit of penetration testing needs to be increased, then testing team can identify more issues and testing team can protect the network security of an organization. Further action needs to be taken against vulnerabilities that identified as a result of penetration test. Penetration Testing Definitions: Penetration test is a method to assess the organizations data security system in dynamic way. The information security system of an organization will be tested to identify any security issues. In other way, penetration test is a theoretical or paper based audit. What is Penetration Test? Penetration test is a sequence of actions to find and exploit security weaknesses of the systems. Penetration test naturally includes group of people financed by the organization and Department of Internal Audit or IT department to conduct the test. Penetration test team member attempts to accomplish vulnerabilities in the system security of the organization using tools and techniques of the penetration test. The goal of the testing tem is to find out security weaknesses under controlled circumstances to eliminate the vulnerabilities before unauthorised users can exploit them. Penetration testing is an authorised action to correct the hackers (unauthorised users) activities. Penetration test is a better way to find the security weaknesses that exist in a network or system. Penetration test result will increase the awareness of the management people and also it will assist them to take an important decision making processes. Management people can find their system security weaknesses conducting penetration test in their organization. Depending upon the organization penetration test will differ and time frame of the test will depend on the type of test. If the penetration test is conducted badly then this test have serious costs like system roaring and cramming. Organization needs to have dynamic consent on this test while conducting or performing.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.