penetration testing
DESCRIPTION
Penetration Testing. Matthew Leonard Troy Matthews COP4910. Overview. Vulnerability Testing How Vulnerability Scans Work What is Penetration Testing? Comparing The Two Need for Pen-Testing Process For Pen-Testing Planning Discovery Attack Reporting. Vulnerability Assessment. - PowerPoint PPT PresentationTRANSCRIPT
Penetration Testing
Matthew LeonardTroy MatthewsCOP4910
OverviewVulnerability TestingHow Vulnerability Scans WorkWhat is Penetration Testing?Comparing The TwoNeed for Pen-TestingProcess For Pen-Testing
◦Planning◦Discovery◦Attack◦Reporting
Vulnerability AssessmentAka VulnScanAble to detect vulnerabilities on a
wide range of systemsAssessments conducted through
Vulnerability ScansNon-intrusiveReport focus on what
vulnerabilities exist and how they can be mitigated
How do Vulnerability Scans work?Uses a database of well know
exploitsBegins with a specified range of
hostsDetects open TCP and UDP ports
within range, and determine which services are running on each host
Runs vulnerability checks based on the information gathered for each host
Creates report of exploitable vulnerabilities and remediation steps
What is Penetration Testing?Aka PenTestingEvaluate security Simulating an attack against a
vulnerabilityCompromises systems to show
potential threatsReports focus on what data was
compromised and how
VulnScan vs. PenTest
Vulnerability Scan
Penetration Test
How often to run
Monthly; before equipment is added to a network
Yearly
Reports Comprehensive list of vulnerabilities for each host. Remediation steps
Identifies what data was compromised and how
Performed by
In house staff Independent outside service
Need for Pen-testingData is a company’s most
important assetPerform external security checkIdentify holes in systemHelps justify need to fixFix before system goes live
Process of Pen-testing
PlanningRules for testingFinal management approvalTesting goals are setNo testing occurs in this stage
DiscoveryStarts actual system testingPort ScanningVulnerability analysisSystem is compared against
vulnerability databasesAutomated scanner can do this
AttackExploit vulnerabilities found from
testsExploits fall into several
categoriesKernel FlawsBuffer OverflowsRace ConditionsTrojansSocial Engineering
ReportingOccurs simultaneously with other
phasesTest plans, permission, rules of
engagement (Planning)Written logs, description of
vulnerabilities, risk ratings, (optional) guidance to fix (Discovery)
Attack results, how it was done, impact on system (Attack)
Referenceshttp://www.pentest.com/overviewMesoploit Attacks by David
Kennedywww.offensive-security.com/
pentest
Penetration Testing
Matthew LeonardTroy MatthewsCOP4910