Friday, October 10, 2008

Notes from SANS Penetration Testing with Confidence Webcast

SANS Webcast

Penetration Testing with Confidence: 10 Keys to Success

Lenny Zeltser

-(slide 3) sometimes the role of the attacker is tricky for a defender
-(slide 5) Asking the right questions about the pentest is essential to success.
**Less about a step by step and more about asking the right questions to get the right pen test for the customer

Question #1
-Is a pen test the type of assessment that is needed?
**Do you need to demonstrate the vulnerability, do you need to exploit it or is finding the vulnerability enough?

*Types of Assessments
-Vulnerability Assessment
-Security Policy Assessment
-Penetration Test

Question #2
-What is the scope?

*if its a pen test, is the customer actually ready to have their network or application exploited
*possibility of system crashes and failures due to failed exploitation attempts
*pen tests are good for shock value, prove that someone can get in and access information

*Scope Questions

-Targets=which specific systems or networks?
-Depth=how far into the network can we go? need to work that out before you start.
-Exclusions=self explanatory
**excluded systems are usually the most jacked up :-)

Question #3
-What tests should be performed?

*Commonly excluded tests ;-(
**mostly because they are so effective
-Denial of Service
-Physical Security
-Social Engineering
*but if its allowed, try to test specific cases that would be violations of policy or training, will people click on links in emails even though the user training says not to
-War Dialing
-Client-side Attacks

Question #4
-Are non-commercial tools allowed?
**Canvas, Core Impact, MSF, standalone exploits, BT are not necessarily "vetted" and you may need to get permission to use them

Question #5
-What is the attacker's profile

*Professional versus amateur
-Target a network for information and money
-Non-targeted attack, attack of opportunity
*knowing what type of attacker will drive the types of tests you do

Question #6
-Is it a White Box or Black Box test?

-White=full knowledge
-Black=no knowledge minus left & right limits
*depending on the test drives the Path of least resistance and attack trees
-Try to strategize before hand, check out slides 19-22, consider making attack trees

Question #7
-What are the time constraints?

-Duration of the test
-Timing restrictions

Question #8
-How to handle issues that may arise during the test?

-Target system crashed
-Sensitive data found
-You're not the first person on the box...eeeeek
*have a contact form for issues that come up

Question #9
-What do you do with the results?

Question #10
-Do I have explicit permission to perform the pen test

-Written permission...CYA

No comments: