Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open...
Transcript of Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open...
![Page 1: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/1.jpg)
© 2008 Open Consulting
Security TestingLuigi Gangitano
![Page 2: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/2.jpg)
© 2008 Open Consulting
Il processo di sicurezza
![Page 3: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/3.jpg)
© 2008 Open Consulting
Terminologia• Vulnerability scanning (automatico, Nessus)
• Security Scanning (VS e analisi professionale)
• Penetration Testing (esiste almeno un varco?)
• Risk Assessment (sulla carta)
• Security Auditing (verifica delle misure di sicurezza)
• Ethical Hacking (PT multipli, a tempo)
• Security Testing
![Page 4: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/4.jpg)
© 2008 Open Consulting
OSSTMM• Open Source Security Testing Methodology Manual
• Standard de-facto del Security Testing
• Processo di revisione del manuale OpenSource
• Copre tutte le fasi del progetto di verifica della sicurezza, dalle indicazioni sul marketing al formato dei documenti di progetto
• Certificazioni (Tester, Analyst, Expert)
• Diverse revisioni disponibili (la più aggiornata è a pagamento)
• http://www.isecom.org
![Page 5: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/5.jpg)
© 2008 Open Consulting
OSSTMM• Copre tutte le aree della sicurezza delle informazioni
Process Security
Information Physical Security Security
Internet
Technology
S
e
c
u
r
i
t
y
![Page 6: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/6.jpg)
© 2008 Open Consulting
OSSTMM• 6 Moduli:
• Sicurezza delle informazioni
• Sicurezza dei processi
• Sicurezza delle tecnologie Internet
• Sicurezza delle comunicazioni
• Sicurezza dei canali Wireless
• Sicurezza Fisica
• Per ciascun modulo sono indicate diverse attività
• Tutte le attività di un modulo devono essere svolte
![Page 7: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/7.jpg)
© 2008 Open Consulting
Metodologia
• Definizione dello stato dell’arte della sicurezza per l’ambiente oggetto di analisi
• Raccolta di informazioni
• Esecuzione dei test di sicurezza
• Misurazione dei risultati (attraverso RA, distanza dallo stato dell’arte)
• Documentazione dei risultati
![Page 8: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/8.jpg)
© 2008 Open Consulting
Un esempio
![Page 9: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/9.jpg)
© 2008 Open Consulting
Dettaglio di un test• Definizione dei risultati attesi
• Eventuali vulnerabilità
• Elenco delle politiche non rispettate
• Elenco dei metodi utilizzati per i test
• Dati raccolti durante i test
• Esecuzione delle procedure indicate nel test
• Attraverso l’uso di strumenti automatici
• Attraverso la verifica manuale dello stato dei sistemi
![Page 10: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/10.jpg)
© 2008 Open Consulting
Report
![Page 11: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/11.jpg)
© 2008 Open Consulting
Aree di analisi
• Security testing non è solo nmap + nessus
• Sicurezza fisica (accessi, controlli, allarmi, CCTV)
• Sicurezza delle comunicazioni (PBX, Wardialing)
• Sicurezza dei canali Wireless
• 802.11*, Bluetooth, DECT, RFID, IR, Tempest
• Social Engeneering
• Richieste informazioni, inviti, impersonamento
![Page 12: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/12.jpg)
© 2008 Open Consulting
Pre-requisiti
• Accordi commerciali
• Definizione dei limiti delle verifiche
• Definizione della durata dei test
• Non Disclosure Agreement
![Page 13: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto](https://reader030.fdocuments.in/reader030/viewer/2022020304/5bb8c0d709d3f2832c8d7201/html5/thumbnails/13.jpg)
© 2008 Open Consulting
Diversi livelli di ST
• Blind, Double blind
• Gray box, Double gray box
• Tandem
• Reversal