16

Cyber Security and Cryptography

Hashing1.1 Cyber Security1.2 Intrusion Detection and Prevention Systems1.3 Firewalls2.1 Encoding Formats2.1 Ciphers and Fundamentals2.1 Public key, private key and key exchange2.2 Authentication and Hashing2.3 Digital Certificates3.1 Network Forensics3.2 Penetration Testing3.3 Malware Analysis3.3 Attack Analysis4.1 Tunneling4.2 Authentication, Identity and TrustBotnet Coursework

3.2 Penetration Testing

Week 3 Day 2 - Penetration Testing

Last Update Unknown

Security Assurance

Software security challenges:

  • The growing connectivity of devices through the Internet
  • The increasing extensibility of systems
  • The unbridled growth of the size and complexity of systems
  • Protect an organisation’s information assets


Various security assurance methods to solve the security problem:

  • Proof of correctness
  • Proof of layered design
  • Proof of software engineering environments
  • Proof of penetration testing

Penetration Testing

Penetration Testing is a series of activities undertaken to identify and exploit security vulnerabilities as well as to confirm the effectiveness/ineffectiveness of security measures so they can be fixed before unauthorised users exploit them!


It involves hardware, software and people and is carried out by simulating an unauthorised user attacking the system, using a combination of automated tools and manual methods.


Active analysis of the system for any:

  • Potential vulnerabilities
  • Poor or improper system configuration
  • Hardware & software flaws
  • Operational weaknesses


Penetration Testing vs. Security Functional Testing

Penetration testing:

  • Difficulty for someone to penetrate an organisation's security controls against unauthorised access to its information and information systems

Security functional testing:

  • Correct behaviour of the system’s security controls

Penetration Testing Benefits

Business Perspective

  • Safeguards the organisation against failure through preventing financial loss
  • Proves due diligence and compliance to industry regulators, customers and shareholders
  • Preserves corporate image
  • Rationalises information security investment
  • Organisations spend millions of dollars to recover from a security breach due to:
    • Notification costs
    • Remediation efforts
    • Decreased productivity
    • Lost revenue
    • Lost reputation
  • Can identify and address risks before security breaches occur
    • Prevent financial loss caused by security breaches
    • Prevent loss of consumer confidence
    • Prevent loss of business reputation
    • Provide a “proof of issue” and a solid case for proposal of investment to senior management

Operational Perspective

Helps shape information security strategy through:

  • Quick and accurate identification of vulnerabilities
  • Proactive elimination of identified risks
  • Implementation of corrective measures
  • Enhancement of IT knowledge
  • Prioritising and implementing corrective measures for reported known vulnerabilities

Penetration Testing Process

  • Entails a lot of time, effort and knowledge.
  • Enhances the knowledge and skill level of anyone involved in the process

Threat: Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

Vulnerability: Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorised access to an asset.

Risk: The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Exploit: A software program that has been developed to attack an asset by taking advantage of a vulnerability

Penetration Testing Strategies

Information based

Black Box Penetration Testing

  • "Blind testing"
  • Testers have no knowledge about the test target
  • Testers have to figure out the loopholes of the system on their own from scratch
  • Simulates the actions and procedures of a real outside attacker who has no information concerning the test target

White Box Penetration Testing

  • "Targeted testing“
  • Testing team and organisation work together to do the test
  • Testers are provided with all the necessary information about the test target
  • Information provided to the tester prior to test

Grey Box Penetration Testing

  • Testers need to gather further information before conducting the test

Objectives based

External Testing

Attacks on the test target using procedures performed from outside the organisation that owns the test target
Objective >> to find out:
  • If an outside attacker can get in
  • What an attacker could exploit once they have gained access

Internal Testing

Performed from within the organisation that owns the test target

Objective >> to find out:

  • How much damage a disgruntled employee could cause
  • What could happen if the test target was successfully penetrated by an authorised user with standard access privileges

Penetration Testing Types

Areas to test in penetration testing:

  • The physical structure of the system
  • The logical structure of the system
  • The response or workflow of the system

Network

First step:

  • To identify security gaps or flaws in the:
    • Design
    • Implementation
    • Operation of the organisation’s network


Second step:

• Perform analysis and exploits to assess network devices and maintenance connections to penetrate the test target

Application

  • An attack simulation intended to expose the effectiveness of an application's security of an organisation
  • Highlights risks posed by actual exploitable vulnerabilities

Social Engineering

  • Preys on human interaction to obtain or compromise information about an organisation and its computer systems
  • To test the ability of the organisation to prevent unauthorised access to its information and information systems
  • To determine the level of security awareness among the employees in the organisation that owns the target system

Penetration Testing Phases

How to conduct penetration testing:

  • It is not the serial execution of automated tools and generation of complex technical reports
  • It should provide a clear and concise direction on:
  • How to secure an organisation’s information and information systems from real world attacks

Three Phases

Or:

  • Pre-attack
  • Attack
  • Post-attack

Test Preparation

All the necessary documents for the test are organised and finalised during test preparation phase.

The testers and the organisation meet to decide the:

  • Scope
  • Objectives
  • Timing
  • Duration of the test


The tester and organisation sign legal agreements for:

  • Information leakages
  • Downtime

Test

The bulk of the penetration testing process is done during the test phase using a variety of automated tools and manual methods involving:

  • Information gathering
  • Vulnerability analysis
  • Vulnerability exploits

Information Gathering

  • Tester scans the physical and logical areas of the test target
  • Identify all pertinent information needed in the vulnerability analysis phase

Vulnerability Analysis

Based on the information gathered or information provided by the organisation.

Tester then analyses the vulnerabilities within the:

  • Target’s network
  • Host
  • Application

using:

  • Manual methods
  • Automated tools


To find exploits for the vulnerabilities found in the previous steps.

When exploits do not lead to what is intended, for example, root access, then further analysis should be done

Loop between:

  • Vulnerability analysis phase
  • Vulnerability exploit phase

Test Analysis

During this phase, the results of the test are thoroughly investigated and provided to the organisation.

The results must be comprehensive and systematic and are used to prepare a mitigation plan.

Penetration Testing Tools

Some Penetration Testing Tools:
  • Nmap
  • Hping
  • SuperScan
  • Xprobe2
  • P0f
  • Httprint
  • Nessus
  • Shadow Security Scanner
  • GFI LANguard
  • Brutus
  • Metasploit Framework

Nmap

Specific Purpose:

  • Network scanning
  • Port scanning
  • OS detection

Cost:

  • Free

Portability:

  • Linux, Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac, OS X, HP-UX, NetBSD, Sun OS, Amiga

Hping

Specific Purpose:

  • Port scanning
  • Remote OS fingerprinting

Cost:

  • Free

Portability:

  • Linux, FreeBSD, NetBSD, OpenBSD, Solaris, Mac, OS X, Windows

SuperScan

Specific Purpose:

  • Detect open TCP/UDP ports
  • Determine which services are running on those ports
  • Run queries like whois, ping, and hostname lookups

Cost:

  • Free

Portability:

  • Windows 2000/XP/Vista/7

Xprobe 2

Specific Purpose:

  • Remote active OS fingerprinting
  • TCP fingerprinting
  • Port scanning

Cost:

  • Free

Portability:

  • Linux

p0f

Specific Purpose:

  • OS fingerprinting
  • Firewall detection

Cost:

  • Free

Portability:

  • Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, AIX, Windows

Httprint

Specific Purpose:

  • Web server fingerprinting
  • Detect web enabled devices (e.g., wireless access points, routers, switches, modems) which do not have a server banner string
  • SSL detection

Cost:

  • Free

Portability:

  • Linux, Mac OS X, FreeBSD, Win32 (command line and GUI)

Nessus

Specific Purpose:

  • Detect vulnerabilities that allow remote cracker to control or access sensitive data
  • Detect mis-configuration, default password, denial of service

Cost:

  • Free personal / non-enterprise editions

Portability:

  • Mac OS X, Linux, FreeBSD, Oracle Solaris, Windows, Apple

Shadow Security Scanner

Specific Purpose:

  • Detect network vulnerabilities, audit proxy and LDAP servers

Cost:

  • Free trial version

Portability:

  • Windows but scan servers built on any platform

GFI LANguard

Specific Purpose:

  • Detect network vulnerabilities

Cost:

  • Free trial version

Portability:

  • Windows Server 2003/2008, Windows 2000 Professional, Windows 7 Ultimate/ Vista Business/XP Professional/Small Business Server 2000/2003/2008

Brutus

Specific Purpose:

  • Telnet, ftp, and http password cracker

Cost:

  • Free

Portability:

  • Windows 9x/NT/2000

Hydra

Specific Purpose:

  • fast network logon cracker (many protocols)

Cost:

  • Free (GPLv3)

Portability:

  • Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX

Metasploit Framework

Specific Purpose:

  • Develop and execute exploit code against a remote target
  • Test vulnerability of computer systems

Cost:

  • Free

Portability:

  • All versions of Unix and Windows