Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002 Professionalizing...
-
Upload
jack-leonard-bradford -
Category
Documents
-
view
215 -
download
0
Transcript of Professionalizing Penetration Tests CORE SECURITY TECHNOLOGIES © 2002 Professionalizing...
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Professionalizing Penetration Testing
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Agenda
The Penetration Test– What is it?– How is it done?
Problems in the current practice– Why do we need an improved approach?
Practical demonstration
What will we discuss today?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Rationale:“Improving the security of your site by breaking into
it”
Dan Farmer & Wietse Venema, 1993http://www.fish.com/security/admin-guide-to-cracking.html
A plausible definition:A localized and time-constrained attempt to breach the information security architecture using an attacker’s techniques
What is a Penetration Test?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Goals
To improve Information Security awareness
To assess risk
To mitigate risk immediately
To reinforce the Information Security process
To assist in decision making processes
To test the accuracy of the security policy in
place
What are the goals of a Penetration Test?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Final Results
Clear description of scope and methodology
Reproducible and accountable process
High-level analysis and explanation (for
upper/non-technical management)
General recommendations and conclusions
Detailed findings
What are the final results?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Growing Importance
Penetration tests have become an integral part of
standard security process
Governments beginning to mandate periodic
tests for certain agencies
Demand is rapidly increasing, and the process
needs to be able to keep up
Why do we care?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Information Gathering
Information Analysis and Planning
Vulnerability Detection
Penetration
Attack/Privilege Escalation
Analysis and Reporting
Clean-up
How are Penetration Tests done today?
Information Gathering
VulnerabilityDetection Penetration
Attack/PrivilegeEscalation
InformationAnalysis andPlanning
AnalysisandReporting
Clean Up
Penetration Test Stages
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Information Gathering
Information Analysis and Planning
Vulnerability Detection
Penetration
Attack/Privilege Escalation
Analysis and Reporting
Clean-up
What works well today, and what does not?
Information Gathering
VulnerabilityDetection Penetration
Attack/PrivilegeEscalation
InformationAnalysis andPlanning
AnalysisandReporting
Clean Up
Penetration Test Stages
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the problems today?
Problems with ‘Information Analysis and Planning’ Stage
Difficult and time consuming task of consolidating all
information gathered and extracting high-level conclusions
to help define attack strategy
Hard to keep an up to date general overview of the
components and their interaction
No specific tools aimed at addressing this phase
Experienced and knowledgeable resources required for this
stage, overall time constraint could limit the extent of their
work
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the problems today? (cont.)
Problems with ‘Penetration’ Stage
Some tools available, but generally require customization and
testing
Publicly available exploits are generally unreliable and require
customization and testing
In-house developed exploits are generally aimed at specific tasks or
engagements (mostly due to time constraints)
Knowledge and specialization required for exploit and tool
development
Considerable lab infrastructure required for successful research,
development and testing (platforms, OS flavors, OS versions,
applications, networking equipment, etc.)
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the problems today? (cont.)
Problems with ‘Attack/Privilege Escalation’ Stage
Some tools and exploits available, but usually require
customization and testing (local host exploits, backdoors, sniffers,
etc.)
Monotonous and time consuming task: setting up the new
“acquired” vantage point (installing software and tools, compiling
for the new platforms, taking into account configuration specific
details, etc.)
Considerable lab infrastructure required for research, development,
customization and testing
Lack of a security architecture for the Penetration Test itself
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the problems today? (cont.)
Problems with ‘Analysis and Reporting’ Stage Manually gathering and consolidating all the log information
from all phases is time consuming, boring and prone to error Logging of actions is left up to the team members, does not
ensure compliance Organizing the information in a format suitable for analysis and
extraction of high level conclusions and recommendations is not trivial
Writing of final reports often considered the boring leftovers of the Penetration Test, security expertise and experience is required to ensure quality but such resources could be better assigned to more promising endeavors
No specialized tools dedicated to cover these issues
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the problems today? (cont.)
Problems with ‘Clean Up’ Stage Requires detailed and exact list of all actions performed, but
logging of actions still manual
Clean up of compromised hosts must be done securely and without affecting normal operations (if possible)
The clean up process should be verifiable and non-repudiable, the current practice does not address this problem.
Clean up often left as a backup restore job for the Penetration Test customer, affecting normal operations and IT resources
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
So what does all that mean?
Inefficient due to reliance on disparate software packages and manual performance of tedious tasks
Informal and non-standardized
Difficult for companies to define and enforce their own methodology
Inconsistent in execution
Error-prone and sometimes NOT secure due to manual logging and clean-up
Difficult to centralize and share experience/knowledge across the firm
Expensive due to a steep learning curve and labor-intensiveness
Not very scalable
New tools are needed to improve the process
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
CORE IMPACT
Provides a framework for Penetration Testing
Increases productivity
Builds knowledge and security expertise
Provides an open and extensible architecture
Brings the practice to a new quality standard
One possible solution to these problems: CORE IMPACT
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
The Model:– Simplifies and abstracts all the components of the system and their relations
– Provides a foundation on which to build
– Provides a common language
Agents - “The pivoting point” or “the vantage point”– The context in which Modules are run
– Installable on any host
– Secure
– Remotely control other Agents
– Easy clean up
Modules - “Any executable task”– Information gathering, attacks, reporting, scripting of other Modules
– Simple and easy to extend
– Have access to every tool together, under the same framework
How does CORE IMPACT work?
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
What are the benefits?
Provides a framework that encompasses all the Penetration Testing phases– Enables customers to define and standardize own methodology– Enforces the following of their methodology and ensures quality
Drastically reduces time required to perform a Penetration Test– Agent/Module architecture simplifies target penetration and
privilege escalation– Automates monotonous and time-consuming tasks– Frees valuable resources to focus on most important and difficult
phases
Improves the security of the Penetration Testing practice– Reduces errors, particularly in the clean-up stage– Strong authentication and encryption between console and Agents
Enables knowledge acquisition and shared learning– Entity Database consolidates all work done for future reference and
use
Makes the Penetration Testing practice more professional and scalable
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
Back Office Network
DMZ
Pen Tester Console
INTERNET
IMPACT DEMO
Pro
fess
ionaliz
ing
Penetr
ati
on T
est
sC
OR
E S
EC
UR
ITY
TE
CH
NO
LO
GIE
S©
200
2
ht
tp://
ww
w.c
ores
t.com
44 Wall StreetNew York, NY 10005Tel: (212) 461-2345Fax: (212) [email protected] USA
CONTACT INFORMATION
Jeffrey CassidyDirector of Business Development, [email protected]