penetration testing dont just leave it to chance

45
Name of the Speakers : Anish Cheriyan, Director Quality and Centre of Excellence- Cyber Security Sriharsha Narayanam , Test Architect and Cyber Security Test

Upload: anish-cheriyan

Post on 06-Apr-2017

797 views

Category:

Engineering


0 download

TRANSCRIPT

Page 1: Penetration testing dont just leave it to chance

Name of the Speakers : Anish Cheriyan, Director Quality and Centre of Excellence-Cyber Security

Sriharsha Narayanam , Test Architect and Cyber Security Test Engineering -COE Team

Company Name : Huawei Technologies India Private Limited

Page 2: Penetration testing dont just leave it to chance

Topics● Introduction● Principles of Security for Secure Products ● Security in Product Development Life Cycle● Penetration Testing Approach ● Details of Pen Test● Cyber Security- a mindset and some anti

patterns● Conclusion

Page 3: Penetration testing dont just leave it to chance

http://einstueckvomglueck.com/wp-content/uploads/2010/11/philiplumbang.jpg

Page 4: Penetration testing dont just leave it to chance

http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpg

Just Attack Testing

Page 5: Penetration testing dont just leave it to chance

http://thevarguy.com/site-files/thevarguy.com/files/archive/thevarguy.com/wp-content/uploads/2008/12/canonical-unison-attack-microsoft-exchange.jpghttp://7428.net/wp-content/uploads/2013/05/Color-Feather.jpg

Feather Touch Testing

Page 6: Penetration testing dont just leave it to chance

http://http://blog.courtmetrange.eu/?attachment_id=1487

Time Bound Testing

Page 7: Penetration testing dont just leave it to chance

http://www.zazzle.com/innocent+until+proven+guilty+gifts

Page 8: Penetration testing dont just leave it to chance

Build Security In-Some perspective

Page 9: Penetration testing dont just leave it to chance

The Principles- Secure software design Favor simplicity

◦ Use fail safe defaults◦ Do not expect expert users

Trust with reluctance◦ Employ a small trusted computing base◦ Grant the least privilege possible

Promote privacy Compartmentalize

Defend in Depth◦ Use Community resource-no security by obscurity

Monitor and traceReference: Reference: Software Security by Michael Hicks, Coursera

Page 10: Penetration testing dont just leave it to chance

Favor Simplicity

Reference: Reference: Software Security by Michael Hicks, Coursera

Page 11: Penetration testing dont just leave it to chance

Favor Simplicity: Fail Safe Defaults

Page 12: Penetration testing dont just leave it to chance

Favor Simplicity: Do not expect expert users

Page 13: Penetration testing dont just leave it to chance

Trust with Reluctance(TwR)

Page 14: Penetration testing dont just leave it to chance

Trust with Reluctance(TwR)- Trusted Computing Base

Page 15: Penetration testing dont just leave it to chance

Trust with Reluctance(TwR)- Least Privilege

Page 16: Penetration testing dont just leave it to chance

Trust with Reluctance(TwR)- Compartmentalization

Page 17: Penetration testing dont just leave it to chance

Defend in Depth

www.unicomlearning.com/ethicalhacking

Page 18: Penetration testing dont just leave it to chance

Defend in Depth-Use Community Resources

Page 19: Penetration testing dont just leave it to chance

Monitoring and Traceability

Page 20: Penetration testing dont just leave it to chance

Top 10 Flaws. Do Not..

Page 21: Penetration testing dont just leave it to chance

Building Security in Product Development Life CycleRequiremen

t

Design

Coding

Testing

Release•General

Security Requirement Analysis •Attack Surface Analysis• Threat Modeling -STRIDE(Microsoft)•Testability Analysis

•Secure Architecture and Design.•Security Design guidelines•Security Test Strategy and Test Case

•Secure Coding Guidelines (cert.org-good reference)•Static Check Tools like Fortify, Coverity (Ref- owasp.org)•Code Reviews

•Security Test Cases•Penetration Testing Approach (Reconnaissance, Scanning, Attack, Managing access)

•Anti Virus•Continuous Delivery System (Inspection and Secure Test)

Page 22: Penetration testing dont just leave it to chance

Threat Modeling

Reference: https://msdn.microsoft.com

Identify assets. Identify the valuable assets that your systems must protect.

Create an architecture overview. Use simple diagrams and tables to document the architecture of your application, including subsystems, trust boundaries, and data flow.

Decompose the application. Decompose the architecture of your application, including the underlying network and host infrastructure design, to create a security profile for the application.

Identify the threats. Keeping the goals of an attacker in mind, and with knowledge of the architecture and potential vulnerabilities of your application, identify the threats that could affect the application.

Document the threats. Document each threat using a common threat template that defines a core set of attributes to capture for each threat.

Rate the threats. Rate the threats to prioritize and address the most significant threats first.

Page 23: Penetration testing dont just leave it to chance

Threat Modeling Diagram- a simple example

Reference: https://msdn.microsoft.com

Page 24: Penetration testing dont just leave it to chance

Threat Modeling Diagram- a simple example

Reference: https://msdn.microsoft.com

Page 25: Penetration testing dont just leave it to chance

Threat Modeling Diagram- a simple example

Reference: https://msdn.microsoft.com

Page 26: Penetration testing dont just leave it to chance

Secure Architecture and Design Perspective

Reference: https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet#DRAFT_CHEAT_SHEET_-_WORK_IN_PROGRESS

• Business Model• Data Essential• End Users• Third Party• Administrators• Regulations

Business Requirements

www.unicomlearning.com/IT_Security_and_Ethical_Hacking

Page 27: Penetration testing dont just leave it to chance

Secure Code Perspective

Reference: https://owasp.org

Input ValidationOutput Encoding

Authn. & Pwd. Mgmt.

Session Management

Access Control

Cryptographic Practices

Error Handling and LoggingData Encryption

Communication Security

System Configuration

File Management

Memory Management

Gen. Coding Practices

www.unicomlearning.com/IT_Security_and_Ethical_Hacking

Page 28: Penetration testing dont just leave it to chance

Secure Code Perspective-Code Review

Further Reading: Threat Modeling- Frank Swiderski, Window Snyder, A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World - http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext

Trust boundary code (Thre

at Mode

l)

Static

Tool Execution

Manual Cod

e Review

While doing the code review we can take the inputs from the code in the trust boundary, issues from the static tools like Fortiy, Coverity etc and put the focus at the right place for the Code Review

Page 29: Penetration testing dont just leave it to chance

Secure Testing (Pen Test) Perspective

•Information Gathering (About the system, environment etc.)

•Scan the system

•Threat Analysis

•Usage of the Static analyzer (Run fortify, Coverity, Appscan, Nessus, NMAP etc)•Right tool usage

•Vulnerability Analysis

•Fuzz Testing

•Penetration testing

•Use /Develop right set of tools to attack

•Raise Defects

Reconnaissance

Scanning

Attack

Managing

Access

Test Strategy

Page 30: Penetration testing dont just leave it to chance

Validation Approach of ABC

Picture Courtesy: http://sd.keepcalm-o-matic.co.uk/i/assume-nothing-believe-nobody-and-check-everything--1.png

Page 31: Penetration testing dont just leave it to chance

Security Test Strategy - InputsUnderstands the typical application scenario. Analyse the system

topology, architecture etc.

Analyse the Threat Model , Security design and identifies the trust boundaries., Apply Penetration Test Analysis and Design

Review and Analyse the Open source and third party software

Analyse report of non dynamic examination like Fortify, Coverity.

Analyze the information like communication matrix, product manual. . etc

Conduct the code verification from security perspective

Conduct penetration testing (Information gathering, Scanning, Attack, Defects)

Page 32: Penetration testing dont just leave it to chance

Web Security

Network Security

DB Security

OS Security

Mobile Security

Open Source

Security

Password

Security Tools to be used

Code Vulnerabil

ities Validation Penetrat

ion Test Analysis

and Design

Top 3 Attacks to be

Focused

Customer

Deployment

TopologyThreat Modeling

based Scenarios

Penetration Test Approac

h

Attack Vectors / Surface

Automation ?

Country Specific Security

Test Case

Database

Good practice inheritance from Security defects

from past

Security Test Strategy - What to Cover ?

Page 33: Penetration testing dont just leave it to chance

Penetration Testing Analysis overall flow

Output

Penetration Test Scenarios

Penetration Test Cases Defects

1. Damage potential Assessment

2. New Test Cases

Page 34: Penetration testing dont just leave it to chance

Reconnaissance is a the first and the key phase of penetration testing where the information is gathered.

The more time you spend collecting information on your target, the more likely you are to be successful in the later phases. There can be a checklist based approach for information gathering but it need not be constrained to the list.

Information Gathering helps teams to think about the product properties upfront.

... So On

Reconnaissance / Information Gathering

Category Suggestive Informations to be gathered / verified Actual Information

General Informatio

n

List of IP addresses that can be scannedTarget OS and File permission informationInformation about the LOG FILE and their pathsInformation about the DATA FILE Location, and their formatStorage mechanism of the USERNAME/PASSWORD of the application

Page 35: Penetration testing dont just leave it to chance

Reconnaissance / Information Gathering

Few Tools for WebApplication Reconnaissance Wappalyzer Passive Recon Ground Speed

[http://www.slideshare.net/groundspeed/groundspeed-presentation-at-the-owasp-nynj]

Page 36: Penetration testing dont just leave it to chance

Software URL Description

Maltego http://www.paterva.com/web5 The defacto standard for mining data on individuals and companies. Comes in a free community version and paid version.

Nessushttp://tenable.com/products/nessus

A vulnerabilty scanning tool available in paid and free versions. Nessus is useful for finding and documenting vulnerabilities mostly from the inside of a given network.

IBM AppScan http://www-01.ibm.com/software/awdtools/appscan

IBM's automated Web application security testing suite.

eEye Retinahttp://www.eeye.com/Products/Retina.aspx

Retina is an an automated network vulnerability scanner that can be managed from a single web-based console. It can be used in conjunction with Metasploit where if an exploit exists in Metasploit, it can be launched directly from Retina to verify that the vulnerability exists.

Nexposehttp://www.rapid7.com

Nexpose is a vulnerability scanner from the same company that brings you Metasploit. Available in both free and paid versions that differ in levels of support and features.

OpenVAShttp://www.openvas.org

OpenVAS is a vulnerability scanner that originally started as a fork of the Nessus project. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011)

HP WebInspecthttps://www.fortify.com/products/web_inspect.html

HP WebInspect performs web application security testing and assessment for complex web applications. Supports JavaScript, Flash, Silverlight and others.

HP SWFScanhttps://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf

HP SWFScan is a free tool developed by HP Web Security Research Group to automatically find security vulnerabilities in applications built on the Flash platform. Useful for decompiling flash apps and finding hard-coded credentials, etc.

THC IPv6 Attack Toolkit

http://www.thc.org/thc-ipv6 The largest single collection of tools designed to exploit vulnerabilities in the IPv6 and ICMP6 protocols.

Pen Test Tools and Guidelines- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines Microsoft Office Excel Worksheet

Security Tools and Version AnalysisTools Analysis helps the teams to select the applicable tools upfront and build required competency to use them / acquire license , well before test execution phase.

Page 37: Penetration testing dont just leave it to chance

Scanning is the phase where the vulnerabilities and the weak areas in the system / target can be identified.

Tools to be finalized based on the application scope.

• Based on the Threat Modeling Analysis, understand the Trust Boundary.– Analyze the present Risk Mitigation

mechanism and derive test scenarios– Analysis the proposed Risk Mitigation

mechanism and device the test scenarios• Threat Modeling analysis to be done both at

System and at Sub system level

... So On

... So On

System Scanning and further Analysis

Test Scenarios from Threat Modeling Analysis

Category Tool / Technique Applicability Analysis

Scanning of the system under test using Static Code Analyzer Fortify , Coverity  Determining if a system is alive    Scanning Application AppScan , Acunetix,

RSAS , QRADAR. .  

Entity or Process

Threat Type Applicable ?

Test Scenario based on Current

Mitigation

Test Scenario based on Proposed Mitigation

Requirement 1

S Yes    T No    R      I      D      E      

Page 38: Penetration testing dont just leave it to chance

Vulnerability analysis is a process in which the vulnerability analysis of the system & Feature are conducted. The various ways in which it can be done are :◦ Threat Modeling analysis◦ Reconnaissance – Information Gathering ◦ System Level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)◦ Feature level Vulnerability based on the Security area (Overlap with Threat Modeling Analysis)

    Security Area

Does this Feature interact with

Trust Boundary

SSL Configuratio

n usedEncryption

Algorithm usedAnti-

Attack Protection

Identity Managem

entPassword

Management

System Level Analysis            

Feature 1            ... So On

System and Feature level Vulnerability Analysis

Page 39: Penetration testing dont just leave it to chance

Systematic Penetration Testing – Defects Examples

Web Server version based Defects

Web Server version based

DefectsEncryption

issues

Address ID issueSession ID bases

Privilege Escalation

CSRF issue – Form key

User scenario Bases SQL injection

Page 40: Penetration testing dont just leave it to chance

Penetration Testing Practice platforms

Page 41: Penetration testing dont just leave it to chance

Some Anti Patterns Attack Surface analysis, Threat modeling not deeply

practiced Secure design and code practices not practiced well Ignoring some errors of Fortify /Coverity and other

tools. Sometimes considering them as false positives

Relying too much on Testing “This is not a valid scenario. Customer would never

test this way”. “Innocent until Proven”- It should be “Guilty unless

proven”

Reference: Reference: Software Security by Michael Hicks, Coursera

Page 42: Penetration testing dont just leave it to chance

Conclusion Build Security into the Life Cycle of product

development Focus on Security Competency Assume Nothing, Believe Nobody, Check

Everything. Following Penetration Test Design Methods-

Reconnaissance-Scanning-Attack-Manage Access.

Page 43: Penetration testing dont just leave it to chance
Page 44: Penetration testing dont just leave it to chance

References and Further Reading www.cert.org www.owasp.org http://pr.huawei.com/en/connecting-the-dots/cyber-

security/

http://pr.huawei.com/en/connecting-the-dots/cyber-security/hw-401493.htm#.VV6DBfBCijM

https://msdn.microsoft.com/en-us/security/aa570330.aspx

Building Secure Software –John Viega, Gary McGraw Coursera Course - Software Security by Michael

Hicks, University of Maryland

Page 45: Penetration testing dont just leave it to chance

THANK YOU

Organized by: UNICOM Trainings & Seminars Pvt. [email protected]

www.unicomlearning.com/IT_Security_and_Ethical_Hacking

Speaker Name: Anish Cheriyan , Sriharsha Narayanam

Email ID: [email protected], @anishcheriyan

[email protected]