SlideShare une entreprise Scribd logo

Becoming a better pen tester overview

Télécharger en tant que PPTX, PDF
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

How to continue growing as a security professional

Technologie
1  sur  22
Security Testing
Test Process Flow • • • • Info gathering Planning Execution Closeout
Testing Methodology • • • • Recon Mapping Discovery Exploitation – Post-exploitation • Reporting Recon Exploitation Mapping Discovery
Testing Checklist
Info Gathering/Planning Recon Reporting Mapping Risk Analysis Discovery Postexploitation Exploitation • • • Functional Analysis Process Flow Mapping Request/Response Mapping Security Testing Checklist
Info Gathering Planning Execution Closeout Notification of a request for testing Questionnaire and checklist is sent Questionnaire is returned with project documentation Tester assigned to project (if not already assigned)
Info Gathering Planning Execution Closeout Review documentation Conduct interview with analyst/developer Application walkthrough Set the schedule Write Ready for Test Conduct a kickoff meeting Verify necessary access Recon phase of testing Checklist - Recon and analysis
Info Gathering Planning Execution Closeout Host Assessment Patches and updates Ports/Services CIS Benchmarks OS/Web Server/DB configuration Checklist – Assess application hosting & Configuration management Web Application Mapping Functional Analysis Process flow mapping Request/response mapping Discovery (Covered by TSB checklist) Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Exploitation Post-exploitation
Info Gathering Planning Execution Closeout Remove false positives Risk analysis Compute CVSS score Conduct a findings meeting with the project Write final report
Weekly Status Reports • Follow the template • Set verbosity to “3” • Include where you are in the process and the methodology • Show progress • Include non-test related items (demos, research, etc)
Post Testing Findings • Schedule it for after the test, while writing the final report • May provide helpful insight that is useful during the reporting process • Assures that there are no surprises in the Final Report
Automated tool output • • • • • Verify issues Provide clearer explanations Tune risk levels Provide custom recommendations Prioritize recommendations
Writing of Issues • Be concise and direct • Include – – – – – description of the issue (how it is) how to reproduce it why it occurred (i.e. root cause) why it is a security issue (significance of the impact) recommendations on how to remediate the issue (how it should be) – CVSS risk • Should be able to fill out a CVSS calculator
Questions that should be taken into consideration and answered • What assets are affected? • What population of people have access to this exploit? • What is the level of difficulty? • What is the frequency that this exploit happens “in the wild”? • What controls are in place that would mitigate the ability of someone to exploit this?
The issue is not written until these 2 questions can be answered by the audience: – Will the reader understand why this is a security risk? – Will the reader understand how to fix the issue?
Why exploit? • Find things that automated tools can’t or won’t • Reduces false positives • Improves the report – Saying that the password policy is weak and passwords and PII shouldn’t be stored in plain text • True, but understated – Saying we were able to crack a user’s password and then obtain user IDs, passwords and PII (in detail) • More powerful • Identifies root causes efficient and effectively • Leads to more security issues that otherwise may have been missed • Threat modeling is important • CVSS scores each vulnerability separate
Final Report • Executive Summary – 3-6 key findings (root causes) – Highlight business impact – Explain the levers management can pull to change root causes
Non-Technical Skills • Project Management • Education – Staying up to date and learning new technologies • Teaching – Being able to explain new concepts and share knowledge • Research • BS Management (people skills & business skills) • Writing – Being able to explain and influence other people • Attack modeling – Having a security mindset
Technical Skills (The Baseline) • Master of an OS (and some web server knowledge) – Linux – Windows • In depth knowledge of TCP/IP • Basic Scripting – BASH, Perl, Python – JavaScript • Databases and SQL • Lean how to program! – Recommend python or Java • Ability to complete the Security Testing Checklist
Basic tools – – – – – – – – – – – – – NMAP NetCat TCPDump/Wireshark Metasploit Framework Burpsuite Pro Nessus Cenzic Hailstorm Core Impact Firefox plugins Backtrack/Samurai WTF SQLmap Command line tools Many, many more
Best Practices • • • • • • • • • • Run tcpdump when testing, especially with tools Use Burp as a proxy when browsing Disable firewall and A/V on attack system (and no PII) Start writing the report as you go Ask the project what is important and what needs to be protected Take notes as you test, include dates Save logs and checklist (especially burp logs) Update tools before the test begins Tune your tools Always verify results – especially verify results discovered by an automated tool with manual verification • Stick to Mapping -> Discovery -> Exploit • When in Discovery phase, don’t get side-tracked into exploits – 5 attempts or 5 minutes • Break vulnerabilities down until you hit root cause(s)
Ideas for Future Research – – – – – – – – – – ASP.net & Powershell Web Services Cloud Computing Mobile Remediation recommendations Design input Attack analysis and forensics Code reviews Tool “tuning” HTML5

Recommandé

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
Security Innovation
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
gocybersec
 

Recommandé

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surface
Security Innovation
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
gocybersec
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
Vikram Khanna
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
Security War Games
Security War GamesSecurity War Games
Security War Games
SeniorStoryteller
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
jClarity
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
gocybersec
 
9780840024220 ppt ch09
9780840024220 ppt ch099780840024220 ppt ch09
9780840024220 ppt ch09
Kristin Harrison
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log Analyser
jClarity
 
Eula
EulaEula
Eula
Lionel Jaime
 
Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)
probandoqueesgerundio
 

Contenu connexe

Tendances

BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat Security Conference
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
jstnkndy
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
jClarity
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
Ho Chi Minh City Software Testing Club
 

Tendances (20)

A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Security War Games
Security War GamesSecurity War Games
Security War Games
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
 
9780840024220 ppt ch09
9780840024220 ppt ch099780840024220 ppt ch09
9780840024220 ppt ch09
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log Analyser
 

En vedette

Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)
probandoqueesgerundio
 
Prezentacja polska
Prezentacja polskaPrezentacja polska
Prezentacja polska
mg1knurow
 
2° ano aula 1 - recuperação
2° ano aula 1 - recuperação2° ano aula 1 - recuperação
2° ano aula 1 - recuperação
Cristiano Sávio
 

En vedette (19)

Eula
EulaEula
Eula
 
Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)
 
Aoife daly kronologi og oprindelse – træet fra odense
Aoife daly kronologi og oprindelse – træet fra odenseAoife daly kronologi og oprindelse – træet fra odense
Aoife daly kronologi og oprindelse – træet fra odense
 
Plan de-tesis
Plan de-tesisPlan de-tesis
Plan de-tesis
 
Curiculum Vita in English
Curiculum Vita in EnglishCuriculum Vita in English
Curiculum Vita in English
 
Traumatic Brain Injury
Traumatic Brain InjuryTraumatic Brain Injury
Traumatic Brain Injury
 
Green Actions/Going Green
Green Actions/Going Green Green Actions/Going Green
Green Actions/Going Green
 
La narración
La narraciónLa narración
La narración
 
My sql administrator
My sql administratorMy sql administrator
My sql administrator
 
Prezentacja polska
Prezentacja polskaPrezentacja polska
Prezentacja polska
 
2° ano aula 1 - recuperação
2° ano aula 1 - recuperação2° ano aula 1 - recuperação
2° ano aula 1 - recuperação
 
Lítio x sulfonato
Lítio x sulfonatoLítio x sulfonato
Lítio x sulfonato
 
Casa del terror
Casa del terrorCasa del terror
Casa del terror
 
Revista fcgp 158
Revista fcgp 158Revista fcgp 158
Revista fcgp 158
 
4 aa4 3925enw
4 aa4 3925enw4 aa4 3925enw
4 aa4 3925enw
 
Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.
 
Tercer ojo
Tercer ojoTercer ojo
Tercer ojo
 
Top secret nutrition sleep
Top secret nutrition sleepTop secret nutrition sleep
Top secret nutrition sleep
 
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
 

Similaire à Becoming a better pen tester overview

Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
Can Demirel
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Amazon Web Services
 

Similaire à Becoming a better pen tester overview (20)

Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 

Plus de Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

Plus de Todd Benson (I.T. SPECIALIST and I.T. SECURITY) (9)

Owasp consumer top 10 safe habits
Owasp consumer top 10 safe habitsOwasp consumer top 10 safe habits
Owasp consumer top 10 safe habits
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2
 
Defending web applications v.1.0
Defending web applications v.1.0Defending web applications v.1.0
Defending web applications v.1.0
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without
 
SQLmap
SQLmapSQLmap
SQLmap
 
Regex 101
Regex 101Regex 101
Regex 101
 
Overview of java web services
Overview of java web servicesOverview of java web services
Overview of java web services
 
SSL overview
SSL overviewSSL overview
SSL overview
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Becoming a better pen tester overview

  • 2. Test Process Flow • • • • Info gathering Planning Execution Closeout
  • 6. Info Gathering Planning Execution Closeout Notification of a request for testing Questionnaire and checklist is sent Questionnaire is returned with project documentation Tester assigned to project (if not already assigned)
  • 7. Info Gathering Planning Execution Closeout Review documentation Conduct interview with analyst/developer Application walkthrough Set the schedule Write Ready for Test Conduct a kickoff meeting Verify necessary access Recon phase of testing Checklist - Recon and analysis
  • 8. Info Gathering Planning Execution Closeout Host Assessment Patches and updates Ports/Services CIS Benchmarks OS/Web Server/DB configuration Checklist – Assess application hosting & Configuration management Web Application Mapping Functional Analysis Process flow mapping Request/response mapping Discovery (Covered by TSB checklist) Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Exploitation Post-exploitation
  • 9. Info Gathering Planning Execution Closeout Remove false positives Risk analysis Compute CVSS score Conduct a findings meeting with the project Write final report
  • 10. Weekly Status Reports • Follow the template • Set verbosity to “3” • Include where you are in the process and the methodology • Show progress • Include non-test related items (demos, research, etc)
  • 11. Post Testing Findings • Schedule it for after the test, while writing the final report • May provide helpful insight that is useful during the reporting process • Assures that there are no surprises in the Final Report
  • 12. Automated tool output • • • • • Verify issues Provide clearer explanations Tune risk levels Provide custom recommendations Prioritize recommendations
  • 13. Writing of Issues • Be concise and direct • Include – – – – – description of the issue (how it is) how to reproduce it why it occurred (i.e. root cause) why it is a security issue (significance of the impact) recommendations on how to remediate the issue (how it should be) – CVSS risk • Should be able to fill out a CVSS calculator
  • 14. Questions that should be taken into consideration and answered • What assets are affected? • What population of people have access to this exploit? • What is the level of difficulty? • What is the frequency that this exploit happens “in the wild”? • What controls are in place that would mitigate the ability of someone to exploit this?
  • 15. The issue is not written until these 2 questions can be answered by the audience: – Will the reader understand why this is a security risk? – Will the reader understand how to fix the issue?
  • 16. Why exploit? • Find things that automated tools can’t or won’t • Reduces false positives • Improves the report – Saying that the password policy is weak and passwords and PII shouldn’t be stored in plain text • True, but understated – Saying we were able to crack a user’s password and then obtain user IDs, passwords and PII (in detail) • More powerful • Identifies root causes efficient and effectively • Leads to more security issues that otherwise may have been missed • Threat modeling is important • CVSS scores each vulnerability separate
  • 17. Final Report • Executive Summary – 3-6 key findings (root causes) – Highlight business impact – Explain the levers management can pull to change root causes
  • 18. Non-Technical Skills • Project Management • Education – Staying up to date and learning new technologies • Teaching – Being able to explain new concepts and share knowledge • Research • BS Management (people skills & business skills) • Writing – Being able to explain and influence other people • Attack modeling – Having a security mindset
  • 19. Technical Skills (The Baseline) • Master of an OS (and some web server knowledge) – Linux – Windows • In depth knowledge of TCP/IP • Basic Scripting – BASH, Perl, Python – JavaScript • Databases and SQL • Lean how to program! – Recommend python or Java • Ability to complete the Security Testing Checklist
  • 20. Basic tools – – – – – – – – – – – – – NMAP NetCat TCPDump/Wireshark Metasploit Framework Burpsuite Pro Nessus Cenzic Hailstorm Core Impact Firefox plugins Backtrack/Samurai WTF SQLmap Command line tools Many, many more
  • 21. Best Practices • • • • • • • • • • Run tcpdump when testing, especially with tools Use Burp as a proxy when browsing Disable firewall and A/V on attack system (and no PII) Start writing the report as you go Ask the project what is important and what needs to be protected Take notes as you test, include dates Save logs and checklist (especially burp logs) Update tools before the test begins Tune your tools Always verify results – especially verify results discovered by an automated tool with manual verification • Stick to Mapping -> Discovery -> Exploit • When in Discovery phase, don’t get side-tracked into exploits – 5 attempts or 5 minutes • Break vulnerabilities down until you hit root cause(s)
  • 22. Ideas for Future Research – – – – – – – – – – ASP.net & Powershell Web Services Cloud Computing Mobile Remediation recommendations Design input Attack analysis and forensics Code reviews Tool “tuning” HTML5

Notes de l'éditeur

  1. Often we don’t do exploitation and post-exploitation
  2. Who has done this in a test?
  3. If you don’t have these, get them quick!
  4. Knowing your tools makes a huge difference in what you might find
  5. Virtual desktop – 1) admin 2) Firefox 3) Burp 4) Wireshark 5) Chrome 6) Music 7-10) Misc