Post on 08-Nov-2014
description
/ECSA/LPT
EC Council Mod le XIVEC-Council Module XIV
Penetration Testing Pl i d S h d liPlanning and Scheduling
Module Flow
Test Plan Purpose of Test Plan Building a Penetration Test Plan Purpose of Test Plan gTest Plan
Penetration Testing Teams Project Scope
Penetration Testing Planning Phase
Building Tiger TeamPenetration Testing
Project PlanEC-Council’s Vampire Box
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This module explains how a penetration test plan and This module explains how a penetration test plan and schedule is made.
It will cover various testing tasks, test log and deliverables, penetration testing planning phase, project scope, penetration testing team, and the tiger team.penetration testing team, and the tiger team.
It l di i j t h d li t lIt also discusses various project scheduling tools.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test Plan
A t t l i d t th t d t il th t t f d ti A test plan is a document that details the structure of conducting a penetration test.
A test plan could be structured according to an industry standard such as the Institute of Electrical and Electronics Engineers (IEEE) Standard for Software Documentation—Std. 829, based on an internal template.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Purpose of Test Plan
A penetration test plan will establish the ground rules, limits, and scope of testing.
It h th b bilit f hi i d t ti t tiIt enhances the probability of achieving good penetration testing.
• Test objective.
A test plan includes:
Testj• Scope of the testing effort.• Resource and budget limitations.• Analysis and reviews.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Building a Penetration Test Plan
Set up a test goal
Define the objects to be tested
Hire a well-skilled penetrator
Bind the Penetration Analysis Resources
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IEEE STD. 829–1998 SECTION HEADINGSHEADINGS
Test plan identifier
IntroductionIntroduction
Test items
Features to be tested
Features not to be testedeatu es ot to be tested
Approach
Item pass/fail criteria
Suspension criteria and resumption requirementsp p q
Test deliverables
Testing tasks
Environmental needs
Responsibilities
Staffing and training needs
Schedule
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risks and contingencies
Approvals
Test Plan Identifier
E h l h ld b i d id ifi h i i Each test plan should be assigned an identifier that is unique within the organization.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Test Deliverables
As part of its contractual obligations, a company specializing in security t ti d t id li t ith d t il d t f ll th testing may need to provide a client with detailed accounts of all the penetration tests that were attempted (regardless of their success).
Document every detail of penetration testing process.
The success of a penetration test depends on the report generated.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Planning PhasePhase
Defining the Pen-test scope
Staffing
Ki k ff iKickoff meeting
Development of the project lplan
Setting the expectations of the client
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Define the Scope
You should establish the scope of the projectYou should establish the scope of the project.
Y h ld d l th f th j t i lt ti You should develop the scope of the project in consultation with the client.
You should take into consideration time, people, and money.
Business changes might affect the scope.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Project Scope
Features to be tested include:
• Network security.• System software security. • Client-side application security.
Cli id id li i i i i • Client-side to server-side application communication security. • Server-side application security.• Social engineering. • Dumpster diving. p d g• Inside accomplices. • Physical security. • Sabotage Intruder confusion.
Intrusion detection Intrusion response• Intrusion detection Intrusion response.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
When to Retest?
A previously unknown exploit in an operating systemA previously unknown exploit in an operating system
Additional devices (firewalls, servers, routers, and so on) are added tothe systemthe system
A service pack installed to patch a recently discovered security hole
Log files have grown to the point that no free disk space is left
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Responsibilities
Who will be responsible for making sure all thek t ti ti iti t ki l h d l ?key testing activities taking place on schedule?
Team member building
Assigning tasks
Timelines
Report writing and documentation personal
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Skills and Knowledge Required
• Client presentations
Project management skills and knowledge:
• Client presentations• Project planning and administration• Effective communication (oral and written)• Leadership
• Research and analysis• Security industry standards (ISO 17799, GASSP)
Th t l i
Policy examiner skills and knowledge:
• Threat analysis• Principles of security management• Business continuity and disaster recovery standards
Technical examiner skills and knowledge:
• Client and server OS, NOS, UNIX, Linux hardware devices• Software and hardware configuration management• Reported bugs and security flaws
Technical examiner skills and knowledge:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Network and system testing protocols and devices• Physical plant security
Internal Employees
Work with internal employees (i.e., system administrators) to assist you i h h jwith the project.
They can provide valuable experience and know howThey can provide valuable experience and know-how.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Teams
Chief Chief Penetration Tester
Database and ki
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Database andApplication Expert
NetworkingExpert
Ethical Hacker Report andDocumentation writer
Tiger Team
A tiger team is a group of people hired to give details of the l biliti t i th t vulnerabilities present in the system.
They are also called red teams, ethical hackers, penetration testers, and intrusion testers.intrusion testers.
This team prepares report on the vulnerabilities present in the system, attack methods, and how to defend them.
• To evaluate what level of host and network security is adequate.
Purpose:
• To test the resources of the organization and to submit the report on attacks, threats, and so on.
• To generate a real intruder’s attack without causing any damage to the system.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Building Tiger Team
Your tiger team should consist of the following personnel:
• Chief Penetration Tester (CPO)• Database and Application Expert
N t ki E t
following personnel:
• Networking Expert• Ethical Hacker• Data Analyst• Project Manager• Report and Documentation Writer
If you are hiring temporary consultants, be sure to check y g p y ,their background and their history.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Questions to Ask Before Hiring Consultants to the Tiger TeamConsultants to the Tiger Team
H h i d t i d th h ?How much industry experience do they have?
How much technical experience do they have?
Do they have a methodology?
Who will ultimately do the work?Who will ultimately do the work?
What is their reputation?
What is the final deliverable going to look like?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Meeting With the Client
Keep the client continuously informed about the projectKeep the client continuously informed about the project
Status meetings — during the engagementStatus meetings during the engagement
Deliverable template — sets client’s expectations for what the final d t i i t l k likdocument is going to look like
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kickoff Meeting
The penetration testing kickoff meeting attendance should
• Executive sponsor.• Key stakeholders involved in the testing
include the following people:
• Key stakeholders involved in the testing.• Tiger team conducting the assessment.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Project Plan
The plan should consist of the following:
• A short description of the purpose of the project and must contain a statement of the benefit that doing the project will bring
Project definition:
• One or two sentences that state what problem or weakness the project will addressProject goal:
• A short list of objectives that have to be met to reach the project goalObjectives:
Quantification of the benefits of doing the project the success • Quantification of the benefits of doing the project, the success factor can be a detailed knowledge of the weaknesses in the organization's network
Success factors:
• Details of the strengths weaknesses opportunities and threats A i
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Details of the strengths, weaknesses, opportunities, and threats involved in the project, but simplicity is the keyAssumptions:
Project Plan Overview
Test Plan Overview
Company NameCompany Name
Project Title
Date
Scope
Test Plan Created by
Description
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Work Breakdown Structure or Task List Task List
Developing a task list means breaking down a i f k i t it t t k piece of work into its component tasks.
Task status must be measurable.
Each task must be a clearly defined event with a clear start and a clear end.
Every task must have a deliverable.
• Where the tasks start and end• Time estimates
R i d t h t k
Example:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Resources assigned to each task• Task dependencies
Penetration Testing Schedule
Details of the test schedule must be documented in a separate d li bl d d i h h i f j h d lideliverable and generated with the assistance of a project-scheduling tool.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Project Scheduling ToolsScheduling Tools
• www.patrena.comEasy schedule maker
• www.aecsoft.comFastTrack schedule
• www gigaplan comGigaPlan net • www.gigaplan.comGigaPlan.net
• www.performancesolutionstech.comManagePro
• www.microsoft.comMicrosoft Project
• www.niku.comNiku
• www.openair.comOpenAir
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• www.planview.comPlanView
Penetration Testing Project Scheduling Tools (cont’d)Scheduling Tools (cont d)
• www.rationalconcepts.comProj-Net
• www.projectkickstart.comProjectKickStart
www itgroupusa comProject Dashboard • www.itgroupusa.comProject Dashboard
• www.pacificedge.comProject Office
• www.timedisciple.comTime Disciple
• www primavera comVarious • www.primavera.comVarious
• www.axista.comXcolla
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• www.ganttproject.bizGantt Chart
Test Plan Checklist
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Hardware/Software RequirementsHardware/Software Requirements
You will need the following hardware when conducting the test:
• Windows XP/2000/2003 virtual server• Red Hat Linux 9 • Wireless Access points
Laptop with the following:
• Keyloggers
• Wireless Access points• Wireless cards• Huge hard disk – preferably 160 GB
• Keyloggers• Jamming devices• Radio communication interceptors• Telephone spying devices• Wireless antennas
Devices:
• Hacking Tools CD-ROM (Linux Version)• Hacking Tools CD-ROM (Windows version)• Sniffing DevicesSoftware:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Sniffing Devices• Penetration testing software – Core Impact• Vulnerability Assessment Tools
Software:
EC-Council’s Vampire Box
The Vampire Box checks the firewall and network anti-virus ft ' biliti software's capabilities.
No more guesswork or blind faith on the firewall systems.g y
Vampire Box is a powerful Enterprise-Class Solution, which:
• Blasts Trojans and backdoor programs onto the network.• Floods the network with Netbus, Back Oriffice, Netcat and other popular
p p p ,
, , p pTrojans.
• Attacks the firewalls and antivirus systems with viruses and worms.• Blasts the network with DoS packets and malformed TCP/IP packets.• Generates huge network traffic by flooding the wire with junk data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Generates huge network traffic by flooding the wire with junk data.• Sends spywares and malicious programs onto the wire.
EC-Council’s Vampire Box (cont’d)(cont d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Begin Penetration Testing
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
Fi ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Begin Penetration Testing (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Summary
A test plan is a document that details the structure of conducting a A test plan is a document that details the structure of conducting a penetration test.
You should develop the scope of the project in consultation with the client.
Skills and knowledge required include:g q
• Project management. • Policy examiner.
h l• Technical examiner .
Developing a task list involves breaking down a piece of work into its component tasks.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited