Security Technologies: Penetration Testing - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Security Technologies: Penetration Testing

Description:

Upon completion of this material, you should be able to: ... Erasing Evidence The process of deleting log file entries to appear as system ... – PowerPoint PPT presentation

Number of Views:426
Avg rating:3.0/5.0
Slides: 24
Provided by: aaronla3
Category:

less

Transcript and Presenter's Notes

Title: Security Technologies: Penetration Testing


1
Security TechnologiesPenetration Testing
  • Kenneth Balogh
  • Aaron Lafferty

2
Learning ObjectivesUpon completion of this
material, you should be able to
  • Understand the definition of Penetration Testing
  • Introduction to Open Source Tools that assist in
    Penetration Testing
  • Understand the key terms and critical concepts of
    the testing methodology
  • Identify different organizations to assist in
    testing and standards

3
What is Penetration Testing?
  • Definition-a method of evaluating the security of
    a computer system or network by simulating an
    attack by a malicious user
  • Why-Security issues that are found will be
    presented, along with an assessment of their
    impact and often with a proposal for mitigation
    or a technical solution.

4
Methodology
  • Types of testing
  • White box- The tester has complete knowledge of
    the internal network.
  • Not most representative of outside attacks, but
    most accurate because represents worst case
    scenario were attacker has complete knowledge of
    network
  • Black box- The tester has no prior knowledge of
    the network.
  • Gray box- Simulates an inside employee. Assesses
    internal threats from employees.

5
Planning
  • Scope of Testing Define what is meaningful to
    the client, budget constraints
  • Use of Social Engineering process of human
    based manipulation to achieve access
  • Session Hijacking taking over TCP session
    between machines. Can disrupt day-to-day
    operations not always permitted
  • Trojan/Backdoors client permission before use
    these tools, cause other damages
  • Confidentiality of Report and Results
  • How/Where to Store Results? Destroy?

6
Testing
  • The penetration testing is divided into five
    stages
  • Reconnaissance The initial stage of collecting
    information on the target network
  • Scanning (Enumeration) The process of querying
    active systems to grab information on network
    shares, users, groups and specific applications
  • Obtaining Access The actual testing
  • Maintaining Access Allowing the test a backdoor
    in the exploited system for future attacks
  • Erasing Evidence The process of deleting log
    file entries to appear as system was never
    exploited

7
Organizations
  • Open Source Security Testing Methodology Manual
    (OSSTM)
  • Open Web Security Project (OWASP)

8
Open Source Security Testing Methodology Manual
(OSSTM)
  • The Open Source Security Testing Methodology
    Manual (OSSTMM) is a peer-reviewed methodology
    for performing security tests and metrics.
  • The OSSTMM focuses on the technical details of
    exactly which items need to be tested, what to do
    before, during, and after a security test, and
    how to measure the results
  • Areas of Security Information, Process,
    Internet Technology, Communications, Wireless,
    Physical each section further divided into
    smaller sub-modules

9
Open Web Security Project (OWASP)
  • The Open Web Application Security Project (OWASP)
    is dedicated to finding and fighting the causes
    of insecure software. The OWASP Foundation, a
    not-for-profit charitable organization and
    participation is free and open to all.
  • Focuses mainly of web applications and services

10
Nessus
  • Nessus is a vulnerability scanner.
  • Has both an open source (FREE as in LUNCH!) and
    pay for support.
  • Tenablesecurity.com provides support and hosting.
  • Does both local and remote vulnerabilities.

11
Nessus
  • Plugin based, free section is 7 days behind paid
    subscription.
  • Plugins written in Nessus Attack Scripting
    Language (NASL).
  • Can write your own plugins!

12
Nessus
  • Daemon and Client Configuration.
  • Daemon primarily written for NIX, but windows
    ports exist.
  • Client written for most common operating systems.

13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
Metasploit
  • Open Source Platform (FREE as in BEER!).
  • Allows for Design and Testsing of exploit code.
  • Interface through HTML (localhost website) GUI or
    CLI console.

18
Metasploit
  • Used as a tool for penetration testing as well as
    exploit development.
  • Real strength is separation of exploit code from
    payload code.
  • Contains hooks that can make it difficult to
    detect forensically

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
Summary
  • Different types of testing methods
  • Proper Test Planning
  • Different Organizations to provide different
    security data
  • Several Tools available for testing
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security Technologies: Penetration Testing" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!