penetration testing reporting and methodology
TRANSCRIPT
Penetration testing reporting and methodology
Rashad AliyevPhD. Lourdes Peñalver
Cordoba, Spain25.09.2015
Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity
2
What is Penetration testing
Penetration testing reporting and methodology * CEH Materials
3
Why Penetration testing?
Penetration testing reporting and methodology
Security Audit
Vulnerability Assessment
Penetration Testing
A security audit just checks whether the organization is following a set of standard security policies and procedures
A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability
Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
4
Audit vs Penetration testing?
Penetration testing reporting and methodology
Audit Penetration testing
Check set of standards Find vulnerabilities
- Foot printing
- Exploiting
Create report by standards Generate report
5
Types
Penetration testing reporting and methodology
• Internal, External(1)
• Blackbox, Whitebox(2), Greybox(3)
• Announced, Unannounced(1)
• Passive, Active scans• Automated, Manual(1)
1. CEH course modules2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P143. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2
6
Methodologies
Penetration testing reporting and methodology
• Planning, Discovery, Exploiting, Reporting*
• Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting, Advisory**
• Preparation, Reconnaissance, Analysis of Information / Risks, Active Intrusion Attempts, Final Analysis / Clean-Up***
• Planning, Discovery, Attack, Reporting****
* A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions,
2012, 10, 1752 - 1756
** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20
***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003
**** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and
Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008
7
Used Methodology
Penetration testing reporting and methodology
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.*---* SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do
8
The Problem
Penetration testing reporting and methodology
×Format
×Compare
×Systematiz
e
There are not a standard format for penetration testing
There are not a system for comparing if you have 2 different reports.
There are not a method to help us to do reports and generating one
Report format - StylesAmerican Psychological Association (APA) Style[1]
Page design, Document Control, List of Report Content, Executive Summary, Methodology, Detail findings, References, Appendices, Glossary [2]
A Cover Sheet, The Executive Summary, Summary of Vulnerabilities, Test Team Details, List of the Tools Used, A copy of the original scope of work, The main body of the report, Final delivery [3]
[1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009.[2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010.[3] Mike Sheward. The art of writing penetration test reports. January 2012.
Penetration testing reporting and methodology
Report format – Our Idea– For top management
• Title page• Executive Summary
– For technical workers• Title page• Executive Summary• Test Team Details• Summary of Vulnerabilities• References,• Glossary
Penetration testing reporting and methodology
11
Idea
Penetration testing reporting and methodology
Reporting- Generate Report- Compare Reports
Exploiting - Send attack result
Foot printing- Upload scan result- Send bug- View results
Planning - Penetration tests
01
02
03
04
12
Site for Penetration testing
Planning
Foot printing
Exploiting
www.penteston.com
Penetration testing reporting and methodology
-
-
-
Reporting-
13
01. Planning
Penetration testing reporting and methodology
Test name
Scope of Work
Contract or NDA
Conduct (Whitebox, Greybox, Blackbox)
Type (Internal, External, Application-layer, Network-layer)
Team detail
010203040506
14
02. Foot Printing
Penetration testing reporting and methodology
- Multiple alerTs- From one of scanners- Upload file
Foot Printin
g
- Manual send alert- Detailed information about alert
Scan resport Alert
15
03. Exploiting
Penetration testing reporting and methodology
Alert Level - Low, Medium or High level of alert
Detailed information about alert
01
02
16
04. Reporting & CompareDetailed report for developers
Short key information's for managers
Report for managers
Archive
Staff
For compare reportsCompare
Style
Penetration testing reporting and methodology
17
Future Work
Open beta testing Start analyzing for new features
Get new features
In
process
In
process
In
process
In
process
Penetration testing reporting and methodology
Finish small works on project