Network Penetration Testing

1
Network Penetration Testing

• Jack Jones, CISSP, CISA
• Director of Information Security
• Nationwide

2
Purpose

• The Network Penetration Test
• What it is...
• What it isnt
• What it should be...
• How to get the most from it...

3
Agenda

• Defining the Penetration Test
• Attack Profiles
• Engagement Approach
• Vendor Selection
• Rules of Engagement
• Reporting
• Making Use of the Results

4
Defining the Test

• Three Primary Purposes...
• Punching a Ticket
• Proving a Point
• Testing

5
Defining the Test

• Understand the Limitations
• Point-in-time snapshot
• Can NEVER be considered 100 comprehensive
• Constrained by time and resources

6
Defining the Test

• Setting Test Goals
• Audit versus validation
• What constitutes success/failure?
• Breach the perimeter?
• Gain control?
• Access critical or sensitive data?
• All of the above (a.k.a. unrestricted)?
• Technical versus operational emphasis

7
Attack Profiles

• External Testing
• Internet
• Dial-up
• Other (e.g., via trusted networks...)
• Internal Testing
• Social Engineering
• Denial of Service (DoS)
• Applications?

8
Approach

• Overt versus Covert?
• Informed versus Blind?
• Pre-assessment versus Post-assessment?

9
Approach

• Overt Advantage
• Better coordination less risk
• Covert Advantages
• More accurate results
• Better test of personnel and procedure

10
Approach

• Informed Advantages
• Better use of engagement time/resources
• More thorough results
• Less risk
• Levels the playing field...
• Blind Advantages

11
Approach

• Pre-assessment Advantages
• More realistic results
• More effective for proving a point
• Post-assessment Advantage
• Better as a test/audit
• More thorough

12
Vendor Selection

• Everybody seems to offer it.
• How to choose?

13
Vendor Selection

• Keys to finding the right vendor
• Experience (who)
• Methodology (how)
• Rationale (why)
• How much ()

14
Vendor Selection

• Experience
• No ex-hackersplease
• Professional organizations
• Strong technical backgrounds
• Certifications are a plus

15
Vendor Selection

• Methodology
• Engagement Approach
• Attack Profiles
• Tools (commercial versus proprietary)
• Communication
• Reporting

16
Vendor Selection

• Rationale
• Not all penetration tests are created equal...
• Why THEIR methodology
• Make them explain it to you

17
Rules of Engagement

• The First Rule of Medicine
• Do No Harm

18
Rules of Engagement

• Lessen Risk of...
• Accidental Denial of Service
• Destruction of Data
• Better results
• Clearer Communications Expectations
• Greater Flexibility
• Due Diligence!

19
Rules of Engagement

• Critical Rules
• Clearly defined goals
• Scope
• What is off-limits (systems, networks, data,
  activities)
• Timing
• Lines of communication
• Issue resolution

20
Reporting

• Whats That Again?

21
Reporting

• Reporting is key to realizing value
• Reports Should NOT be...
• Computer-generated boiler-plate

22
Reporting

• Reports Should Have...
• No false positives
• Prioritized results
• Separate executive and technical sections
• Exposures described in terms of business risk!
• Resolution resource requirements
• Real-world recommendations

23
Using the Results

• Why Were We Doing This
• in the First Place?

24
Using the Results

• Identify and Understand
• Were the goals met?
• Is further assessment required?
• What are the most severe exposures?
• Resolution Efforts
• Prioritized from a cost/risk perspective
• Sponsored by management
• Implemented!

25

• Questions?