Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
IBM Security Network Protection (XGS)
Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.
Network security policy: best practices
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Business of Penetration Testing
Introduction to Network Defense
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Website Hardening HUIT IT Security | Sep
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Pen testing to ensure your security
Information Systems Security Computer System Life Cycle Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Module 11: Designing Security for Network Perimeters.
HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
CSCE 548 Secure Software Development Security Operations.
Module 7 – Gaining Access & Privilege Escalation  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability.
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Ethical Hacking License to hack. OVERVIEW Ethical Hacking ? Why do ethical hackers hack? Ethical Hacking - Process Reporting Keeping It Legal.
Computer Security By Duncan Hall.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Defining your requirements for a successful security (and compliance
Information Systems Security
Securing Information Systems
Botnets A collection of compromised machines
CYBERSECURITY SOLUTIONS
Topic 5 Penetration Testing 滲透測試
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Secure Software Confidentiality Integrity Data Security Authentication
Penetration Testing Karen Miller.
Threats to computers Andrew Cormack UKERNA.
Penetration Test Debrief
Botnets A collection of compromised machines
CIS 359 Education for Service-- snaptutorial.com.
SEC 420 StrCompetitive Success/tutorialrank.com
CIS 359 Teaching Effectively-- snaptutorial.com
Topic 5: Communication and the Internet
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
8 Reasons You Need a Security Penetration Test
Strategic threat assessment
Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.
Engineering Secure Software
Chapter 1 Key Security Terms.
Presentation transcript:

Sam Cook April 18, 2013

Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade

What is penetration testing? Penetration Testing or Pen Testing: The practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit by simulating attacks from both internal and external threats Goals Determine the adequacy of security measures Identify security deficiencies Recommend training

Why penetration test? An attacker will find the vulnerability View network the same way an attacker would Providing additional insight into security posture Assess the implementation status of system security Provide a reference point for corrective action

Penetration Testing is NOT Hacking Hacking Pen Testing No time limit No limitations Unknown objectives Illegal Limited time Well defined scope Clearly defined goals Legal

Real world examples Stuxnet Used the same infection vector as the Conficker worm Spread via USB flash drives Exploited hardcoded passwords PlayStation Network Breach Leaked millions of users’ unencrypted personal data Intruders exploited a vulnerability in application server through a flaw not known to Sony Suspected to have exploited by a modified PS3 firmware known as Rebug

Performing a penetration test Phases of a penetration test: ProfilingEnumerationVulnerability AnalysisExploitationReporting

Profiling Research phase Passive Reconnaissance Strategy Obtain publicly available information on target Tactics Query publicly accessible data sources Observe physical defenses Covertly survey company and employees

Enumeration Discovery Phase Active Reconnaissance Strategy Find detailed information Find possibly vulnerable points of entry Tactics Map the network Analyze and identify each individual host Survey physical security mechanisms Compile list of possible entry points for an attacker

Vulnerability Analysis Systematic examination of vulnerabilities Procedure Using all the information gathered in the previous phases, identify vulnerabilities in the system Tactics Prioritize analysis of commonly misconfigured services Use automated tools if applicable/available

Exploitation Gaining access Procedure Verify previously identified vulnerabilities by attempting to exploit them Show what access can be gain and what assets can be affected

Reporting The important part Procedure Compile findings into a complete report Include methods as well Make suggestions to fix vulnerabilities

Styles of Penetration Testing Blue Team Tested as a trusted insider with complete access Perform a through survey of systems with complete access to systems to determine any vulnerabilities or misconfigurations. Attempts to provide an exhaustive listing of potential vulnerabilities

Styles of Penetration Testing Red Team Test done as an external hacker Attempt to penetrate defenses any way possible Only attempts to find single point of entry

Pen Testing Tools Backtrack Custom Linux Distribution

Pen Testing Tools Metasploit Exploitation framework

Pen Testing Tools Wireshark Network traffic monitoring tool

Questions?

Sources bnx0dXBlbnRlc3R8Z3g6NzAzYmZlOWEwNmRjMDc2ZQ was-hacked 8.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.