OpaqueSecurity.com (302) 566-5482

How To Series

Find out why there’s a white hat on page 9

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 2

JEFF GILCHRIEST, Business Strategy Consultant

CONTENTS

Introduction.......................................................................................................................... 3So What Should You Look For?............................................................................................5The Plan................................................................................................................................7Who Should Know?............................................................................................................. 8The Basic Types of Testing.................................................................................................. 9What is the Deliverable After The Test?............................................................................. 10Summary.............................................................................................................................11

NO

I have no employees, ...orOnly I do the banking, ..orWe don’t use the internet, ..orWe don’t hold confidential information

YES

Industry Regulations require itFinancials can be accessed on our networkThe web interfaces to our hardware controlsWe have never really tested our securityHackers are now a threatWe are a hospital or Med Group.

FIRST Determine if You Think You Need Penetration Testing

Are your reasons like these?

OpaqueSecurity.com

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 3

The term Hacker has become a common word in our vernacular. Vicious cyber attacks occur on a daily basis against governments, utilities, military, banking/financial institutions, communications, logistics, medical and health organizations, profit and non-profit alike, worldwide. Every venue private, public, or personal with any type of network, communication or power interface is subject to the destructive hand of the Hacker. Including people like you and me who often have our email

compromised (or worse) our identity stolen.

This is where Opaque Security comes in. We are Certified Ethical Hackers; a term not yet common in our language, but very much a part of the frontline defense against malicious attacks threatening our society. Certified Ethical Hackers have actually been around for well over a decade. The National Institute of Standards and Technology created industry protocols and

practices years ago for ethical hackers. Many top universities and schools offer post graduate doctoral degrees in cybersecurity, and there are multiple certifications available. We are a valued partner in government and the private security industry.

Intro

MAKING SENSE OF

PENETRATION TESTING

OpaqueSecurity.com

Making certain the team that tests you is fully prepared and qualified is

your principal goal. Everything depends on it.

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 4

Today, many companies have IT departments or use contracted managed IT companies to handle their computer and communication networks. They manage services you’re familiar with: hardware installation and management, software setup, deployment and trouble-shooting, network maintenance, antivirus and malware management, email setup, maintenance and management, etc..

Opaque Security’s Pen-Testers are an important subset of IT professionals. We provide a number of valued services that IT departments generally cannot.

The Penetration Testing group at Opaque discovers vulnerabilities in physical security systems (guns, guards and gates, etc.) and Intelligent Security Systems (corporate networks, communications, wireless, social media, applications are examples). Once vulnerabilities are found we exploit those areas to the extent that unauthorized hackers would, without damaging systems or the reputations of our clients. We emulate the full capabilities of the contemporary hacker; ranging from the actions of a teenage hacker on an ipad or even the actions of a full “nation-state” attack (if given enough resources). The difference is we don’t steal information or assets and perform our audits in concert with our client.

LOOK  FOR:  

Ask to see their liability insurance is in place. There is special cyber-security insurance for penetration testing.

OpaqueSecurity.com

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 5

We are advocates of IT Departments and do not perform the same duties as our fellow professionals. Our skill sets are much deeper and refined in certain disciplines. Our areas of expertise are necessary to remain several steps ahead of the threats facing your business. These skills are only acquired after years of hands-on experience.

OpaqueSecurity.com

The agency should also offer several certified experts in a variety of specialties. Equally important as the CISSP designation are: Certi&ied  Ethical  Hackers  (CEH)  Professional  Security  Tester  (OPST)  Offensive  Security  Wireless  Professional  (OSWP)  GIAC  Certi&ied  Penetration  Tester  (GPEN)  Counterintelligence  Fundamentals  for  Information  Warfare  (CIFIW)

Are they all certified?

All Ethical Hackers should be Certified Information Security Professionals (CISSP).. This is a difficult certification to attain and requires a years of actual experience and passing numerous exams and peer reviews.

So What Should You Look For?

First start by looking at their credentials:

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 6

OpaqueSecurity.com

Certifications ensure a team is qualified to safely test your network, with near-zero risk of shutdown, and with a robustness that challenges the network at

the level of a real cyber attack.

The best testers have the depth of experience to: A.)

Fully exploit vulnerabilities without risking a network crash. (Ask how they handle system crashes and listen for their response.)

B.) Provide a well-conceived set of protocols that keep you protected. They openly share their plan of action before, during and after the testing process. You should know where the pen-testers are going, when they are active and what the plan is. Points of contact need to be clearly assigned prior to engagement. The best pen-testers keep the client fully involved in critical decisions to make sure critical systems are not endangered.

1.) They either run their test roughshod with little regard to maintaining system integrity (your system could reboot and you’d lose operational control). This usually happens with less experienced teams.

OR 2.) The testers are timid and avoid challenging your system’s security. While this certainly maintains an operational system, it does not provide a realistic snapshot of how your network sustains itself against a vicious outside threat..

CAUTION:

Many penetration testing companies limit themselves to one of two types of pen-

testing approaches:

OPAQUE SECURITY HOW TO SERIES MAKING SENSE OF PENETRATION TESTING

Page ��� 7

Companies have various degrees of planning they share with the client. The worst, of course, is no planning at all. Some companies find it adequate to communicate with voicemail or short messages when testers challenge a network or facility. Such shortsighted practices can lead to a host of problems ranging from full-scale staff panic to unnecessary involvement of law enforcement and financial systems alerts. As the customer, you have the option to selectively alert key personnel of the penetration process and mitigate problems.

Just choose carefully.

This brings up a key reason why Penetration Testing is done. We test our systems to not only find weaknesses so we can fix them, but also to determine how fast our teams react to a breach. You need to know if they report the breach to upper management, and if the established protocols are working as designed.

Give the testers a trusted and discrete Point of Contact liaison

in case questions arise.

OpaqueSecurity.com

The Plan:

OPAQUE SECURITY

Page ���8

If we allow too many people to have knowledge of an on-going penetration-test, the results of the test could be skewed. This is a careful balancing act to play since human nature causes people to become more alert and diligent when they KNOW their work is being scrutinized. Remember, prior to a test, a certified ethical hacker must report how, when, and where they are going inside a client system.    

If staff is somehow tipped-off to an upcoming test, some internal players may actively sabotage a legitimate test to avoid embarrassment. How accurate would you suppose the results of a “leaked” penetration test would be when compared to a single-blind penetration test that was kept secret? Not very accurate.

Generally speaking,   the fewer people with prior knowledge of a test,

the more objective and useful the results will be.  

So what could be “leaked” in an upcoming test? The IP addresses used by the ethical hackers or the time frame of the test are a few examples. The Pen-Testing Planning Document should outline every activity, relative time and entry point used for the testing. A Planning Strategy Document determines the extent of the testing, the methods used, the personnel assigned, and the level of testing performed. The document is provided to the owner, chairman or board members beforehand and is extensive and detailed.

OpaqueSecurity.com

Who Should Know?

OPAQUE SECURITY

Page ���9

The Basic Types of Testing:

The  typical  categories  are  commonly  referred  to  as:

Black hat  –  This test category follows an external approach to the company’s assets and the testers start off without PRIOR KNOWLEDGE of the infrastructure to be tested. Attacks are conducted to simulate an the capabilities of an external hacker or cyber warfare attack. These attacks are the type commonly launched by skilled teen computer hackers on web-ready PlayStations, and range all the way up to the massive attacks launched by a Nation-State.  

White hat  –  This category includes individuals that threaten from within an organization. Its directed attacks simulate what happens when a malicious “insider” wants to do damage to a company. Unlike the Black Hat, the White Hat Tester will have some knowledge of the facility prior to testing. The amount and kind of knowledge is usually discussed with the client ahead of time. But what’s an “insider”? An insider could be an agitated employee or maybe a subcontractor. It is someone with visual access to computers or network connections.

The White Hat might mimic the unauthorized activity of a person wanting to “LEAK” sensitive information, embezzle funds, or damage your reputation. Talented pen-testers attempt to exploit weaknesses in the “soft” enforcement of policies and procedures, which is a common vulnerability. An example of a soft target is an entry door with a proximity card-reader. People can be convinced to let someone inside who forgot their card but who looks friendly, even though it is against policy to do so.  

Gray Hat  –  This category is a blend of external and internal attacks and uses techniques applied from outside a facility in order to gain entrance. These methods seek to overcome the physical and intelligent barriers protecting entry points to the network or systems. The options you choose can include a variety of approaches with different manpower and resource requirements. You should choose the approach that meets the threats to your most critical systems. A phased plan is commonly deployed.

OpaqueSecurity.com

OPAQUE SECURITY

Page ���10

WHAT IS THE DELIVERABLE AFTER A TEST ?

After the tests are completed, a preliminary report is provided to the client (usually within a few weeks) outlining the critical issues found. This report covers key discoveries exposed during the test and some preliminary conclusions.

A second report follows that is more comprehensive in nature, and covers the precise activities and results of the tests. This document includes internal screen-shots of computer applications to show the level of penetration, computer code and settings, hardware interfaces, physical barriers, locks, facility photos, IP addresses and time stamps, error codes, passwords, usernames, files uncovered, etc..

The reports are substantial and provide the evidence necessary to correct any security issues or network problems. The reports should be complete enough for your in-house IT department or outside managed IT group to reconstruct any breach or point of failure. You should be very confident with the quality and depth of information contained in the reports. As the client, you should know what the areas of weakness are, and what must be done to correct any problems.

OpaqueSecurity.com

OPAQUE SECURITY

Page ���11

SUMMARY:

Penetration Tests are only a snapshot in time of the strength of your physical and network security. Most corporations test their systems at least once a year and many do them more often. How often you choose to have a test performed depends on how much risk you are willing to assume.

We hope you are always safe.

Call us: (302) 566-5482

or

email: info@opaquesecurity.com

for a consultation