Security and Penetration Testing Overview

Security and Penetration Testing

Agenda What are we going to talk about … ●

Introduction to Information security and Security Testing

●

Introduction to Vulnerability Scanning, Penetration Testing, and Ethical Hacking

●

Overview of Penetration Testing Methodologies

●

Penetration Testing Steps

●

Overview of the Pen-Test Legal Framework

●

Pen-Test Deliverables

What is information security Information security is the process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The goal is to protect the confidentiality, integrity and availability of information.

Confidentiality - Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems

Integrity - In information security, integrity means that data cannot be modified without authorization.

Information security categories ●

Computer Security

●

Network Security

●

Web Application Security

●

Code Review

●

Threat Modeling

●

Forensics

●

Security Practice

Security Testing

Vulnerability Scanning ❏

Vulnerability scanning can help you to secure your own network or it can be used by the bad guys to identify weaknesses in your system to mount an attack against. The idea is for you to use VS tools to identify and fix these weaknesses before the bad guys use them against you.

❏

The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.

❏

Different scanners accomplish this goal through different means. Some may look for signs such as registry entries in Microsoft Windows operating systems while others may actually exploit the vulnerability of Network devices.

Penetration Testing ❏

It simulates methods that intruders use to gain unauthorized access into organization’s network and systems to compromise them

❏

The purpose is to test the security implementations and security policy of an organization

❏

A penetration tester’s intent to gain unauthorized access to an organization’s network is very different from a hacker.

❏

Penetration tester lacks malice and uses their skills to improve an organization’s network security

Ethical Hacking ❏

An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit.

❏

This work is ethical because it is performed to increase the safety of the computer systems, but only at the request of the company that owns the system and specifically to prevent others from attacking it.

❏

Ethical hacking is also known as penetration testing, intrusion testing and red teaming.

Need of Security and Penetration Testing? ❏

Direct impact of security breach on corporate asset base and goodwill.

❏

Increasing complexity of computer infrastructure administration and management.

❏

Evolution of technology focused on ease of use.

❏

Increased network environment and network based applications.

❏

Decreasing skills level for creating exploits.

Essential Terminologies ❏

Threat

❏

Vulnerability

❏

Target of evaluation

❏

Attack

❏

Exploit

Essential Terminologies Cont.…..

Phases of Penetration Testing

Phase I

Reconnaissance

Reconnaissance represents preparatory phase where a penetration tester gather as much information as possible about a target of evaluation prior to launching an attack

Phase II

Scanning

Phase III ❏

Gaining Access

Gaining access refers to the penetration phase. The Pen Tester exploits the vulnerability in the system.

❏

Examples include buffer overﬂows, denial of service, session hijacking, and password cracking.

❏

Inﬂuencing factors include architecture and conﬁguration of the target system, the skill level of the perpetrator, and the initial level of access obtained.

❏

Business Risk: Highest — The hacker can gain access at the operating system level, application level, or network

Phase IV ❏

Maintaining Access

It is the phase when the Pen Tester tries to retain his ownership of the system.

But ❏

Hackers may harden the system from other hackers as Well (to own the system) by securing their exclusive access with Backdoors, RootKits, or Trojans

❏

Hackers can upload, download, or manipulate data, applications, and conﬁgurations on the owned system.

Phase V

Clearing Tracks

❏

Refer to the activities that the hacker does to hide his misdeeds

❏

Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking.

❏

Examples include Steganography, tunnelling, and altering log ﬁles.

❏

A Pen Tester should watch out such kind of activities on the system.

Always Remember ❏

If a hacker Wants to get inside your system, he/she will and there is nothing you can do about it.

❏

The only thing you can do is make

it harder for him to get in.

What does Penetration Tester Do? Penetration Tester tries to answer the following questions: ❏

What can the intruder see on the target system? (Reconnaissance and Scanning phases)

❏

What can an intruder do with that information? (Gaining Access and Maintaining Access phases)

❏

Does anyone at the target notice the intruders’ attempts or successes? (Reconnaissance and Clearing Tracks phases)

Overview of the Pen-Test Deliverables The main deliverable is the Pen Testing Report ❏

List of your findings, in order of highest risk

❏

Analysis of your findings

❏

Conclusion or explanation of your findings

❏

Remediation measures for your findings

❏

Log files from tools that provide supporting evidence of your findings

❏

Executive summary of the organization’s security posture

❏

Name of the tester and the date testing occurred

❏

Any positive findings or good security implementations

Thank You

info@qainfotech.com www.qainfotech.com

Turn static files into dynamic content formats.

Create a flipbook