Penetration Testing with Confidence: 10 Keys to Success
-(slide 3) sometimes the role of the attacker is tricky for a defender
-(slide 5) Asking the right questions about the pentest is essential to success.
**Less about a step by step and more about asking the right questions to get the right pen test for the customer
-Is a pen test the type of assessment that is needed?
**Do you need to demonstrate the vulnerability, do you need to exploit it or is finding the vulnerability enough?
*Types of Assessments
-Security Policy Assessment
-What is the scope?
*if its a pen test, is the customer actually ready to have their network or application exploited
*possibility of system crashes and failures due to failed exploitation attempts
*pen tests are good for shock value, prove that someone can get in and access information
-Targets=which specific systems or networks?
-Depth=how far into the network can we go? need to work that out before you start.
**excluded systems are usually the most jacked up :-)
-What tests should be performed?
*Commonly excluded tests ;-(
**mostly because they are so effective
-Denial of Service
*but if its allowed, try to test specific cases that would be violations of policy or training, will people click on links in emails even though the user training says not to
-Are non-commercial tools allowed?
**Canvas, Core Impact, MSF, standalone exploits, BT are not necessarily "vetted" and you may need to get permission to use them
-What is the attacker's profile
*Professional versus amateur
-Target a network for information and money
-Non-targeted attack, attack of opportunity
*knowing what type of attacker will drive the types of tests you do
-Is it a White Box or Black Box test?
-Black=no knowledge minus left & right limits
*depending on the test drives the Path of least resistance and attack trees
-Try to strategize before hand, check out slides 19-22, consider making attack trees
-What are the time constraints?
-Duration of the test
-How to handle issues that may arise during the test?
-Target system crashed
-Sensitive data found
-You're not the first person on the box...eeeeek
*have a contact form for issues that come up
-What do you do with the results?
-Do I have explicit permission to perform the pen test
Friday, October 10, 2008