penetration testing training day penetration testing methodology mike westmacott,security consultant...
TRANSCRIPT
Penetration Testing Training Day
Penetration Testing Methodology
Mike Westmacott,Security Consultant IRM plc, Chair BCS YPISG
Supported by
How it used to be
•http://youtu.be/AByemfK_qD4
The Russian Business Networkis a multi-faceted cybercrime organization,specializing in andin some cases monopolizingpersonal identity theft for resale.
How it is now
Presentation to insert name here 4
Threats and Threats
From BAU•Activities that form part of a business create arisk to the organisation•Internal (process) and external (product)•Threat actor unknown
Specific Threats•APTs
Incident Response•Capture evidence•Document and eliminate threat
Presentation to insert name here 5
APTs – real threats
Presentation to insert name here 6
Incident Response
Presentation to insert name here 7
Hacking As Profession
Legitimacy is keyPermission is essentialDamage is not an objectiveProvide a serviceImprove industry
Presentation to insert name here 8
The Engagement Lifecycle
Client understands they need to gauge riskRequests tenders from consultanciesSelects security providerScope of work is determinedTesting performedReport writtenClient debriefed
Presentation to insert name here 9
Job Scoping
•What risks concern the client?•PII, PCI, reputational…•What assets are there?•How do they fit into to business?
Presentation to insert name here 10
Project Management
Multiple clients, multiple consultantsVaried job locationsClearance requirementsTechnical requirementsCertification requirementsResource allocation is difficult
Presentation to insert name here 11
Testing - Onsite
The fun begins! …. Well…Pre-engagement discussions?Are pre-requisites in place?Where’s the site?Where’s the system?Is it ready to test?Where do I eat?Where are the loos?
Presentation to insert name here 12
Testing - Onsite
Finally! Laptop out :)Stop – look aroundTesting should be discreteCheck the findingsRecord them in a logVerify them againCapture evidenceDon’t get too excited…
Presentation to insert name here 13
Discussing Findings
Softly softly catchy monkeyTake care not to insult anyoneDevelopers take great pride in their workYou may have just destroyed itThey have to fix itNow you’re not friendsAnd you’re there all week
Presentation to insert name here 14
Client Debriefing
Discuss findingsHigh risk issues?Who is attending?Are there process issues?Development problems?Chance to upsell!RetestsSecure code reviews
Presentation to insert name here 15
Report Writing
Write the report whilst testingNever enough timeBe succinctProvide detailed stepsShow evidenceGive recommendationsResearch referencesExecutive summaryIt’s what clients pay for
Presentation to insert name here 16
QA, Delivery, and Closure
Peer review of work producedKey to good qualityJunior staff review firstSenior staff review lastReport is finalised to prevent tamperingIssued securely – sensitive!Ensure records of work are maintained