Docstoc

penetration testing

Document Sample
penetration testing Powered By Docstoc
					                        ETHICAL HACKING
         THE INSIGHT OF PENETRATION TESTING


                                    information security research and development




                “INFORMATION SECURITY DAY 2010” SEMINAR
               INIXINDO - YOGYAKARTA, 07th OF OCTOBER 2010

Presented by :
Gildas Deograt Lumy, CISA, CISSP, ISO27001 LA
Komunitas Keamanan Informasi (KKI)
about my self

    Consultant, Auditor, Pentester, Researcher
    CISSP, CISA, ISO27001 Lead Auditor
    Professional Experiences
      ●     18 years in IT as Developer, Systems Analyst, Technical Support, Infrastructure
            Engineer, Manager and Consultant
      ●     13 years direct experiences (3 years worldwide experiences) in Information Security
    Communities Founder and Coordinator of
      ●     Komunitas Keamanan Informasi (KKI)
      ●     Information Security Professional Network (ISPN)
    Trainer
      ●     CISSP Common Body of Knowledge (Former Official (ISC)2 Instructor)
      ●     ISO27001 Implementation
      ●     Hacking Techniques & Defense Strategy
    Writer
      ●     Information Systems Security Management Handbook (contributor)
      ●     CHIP, Infokom, Think SecurityFirst, etc
          Division of Research & Development                                The Insight of Penetration Testing
                                                 WARNING:
                                     NOT TO PUT YOU IN JAIL!




Division of Research & Development                The Insight of Penetration Testing
WARNING !!!




  “Knowledge is the greatest power”




    Division of Research & Development   The Insight of Penetration Testing
WARNING !!!




    “With Great Power, Comes Great
           Responsibilities”
                 ~ Uncle Ben, Spiderman



    Division of Research & Development   The Insight of Penetration Testing
WARNING !!!




                 Ethic vs Legal:
          Pentest must be 100% legal!




    Division of Research & Development   The Insight of Penetration Testing
                                     WHAT IS PENETRATION TEST?




Division of Research & Development                   The Insight of Penetration Testing
WHAT IS PENETRATION TEST?

    Simulating Attacks
      ● To evaluate the effectiveness of information security


        measures
      ● To determine feasibility of an attack


      ● Target: Process, Technology, People


    By authorize (and trusted) person / people
      ● Need formal (written) assignment from owner to be 100%


        legal




      Division of Research & Development               The Insight of Penetration Testing
TYPES


    Black-Box / Zero-Knowledge
      ● Team has no relevant information about target


      ● Typically performed by independent third party




    White-Box / Full-Knowledge
     ● Performed by team with intimate knowledge of target


       environment

    Grey-Box / Partial-Knowledge
      ● Team may have some information about the target




      Division of Research & Development             The Insight of Penetration Testing
phases


    Discovery
        Identify and document information about target




                                                              Vulnerability
                                                                              Assessment
    Enumeration
        Gain more information with intrusive methods
    Vulnerability Mapping
        Map environment profile to known vulnerabilities
    Exploitation




                                                                                      Penetration
        Attempt to gain user and privileged access
     Proliferation




                                                                                                    Testing
 


        Maintain access
    Leaves Trace (note: >< attackers do trace elimination)



      Division of Research & Development                        The Insight of Penetration Testing
benefits


     pentest
     As additional fuel to improve infosec strategy
       ● To get (more) management support
       ● To raise employees awareness
       ● To prove to IT Team
     To comply with regulation (Banking Industry)

     non-whitebox pentest                       vulnerability assessment
     Identify some vulnerabilities             Identify all vulnerabilities
     IT risks approach                         Business (and IT) risks approach
     Proof of Concept (PoC)                    Proofed Theory
         “Seeing is believing”


       Division of Research & Development                          The Insight of Penetration Testing
the danger


    Potentially disturb IT operation
    Allow external people understand the vulnerabilities more than
     the owner and IT Team
    How to get trusted pentester?
      ● Someone who has evil thought and a good heart


    Potentially mislead the owner or regulator
      ● 90% of scope of work does not include human factor


      ● Who am I to judge a system is impenetrable?




      Division of Research & Development              The Insight of Penetration Testing
                                     WHAT A PENTESTER NEEDS?




Division of Research & Development                 The Insight of Penetration Testing
1st MINDSET




                                          GLOBAL VIEW
                                THINK OUT OF THE BOX
                            THERE IS NO 100% SECURE


     Division of Research & Development                 The Insight of Penetration Testing
2nd IN-DEPTH knowledge




     Division of Research & Development   The Insight of Penetration Testing
3rd TOOLS




 Note:
 Sometimes we need to develop our own tools.

     Division of Research & Development        The Insight of Penetration Testing
4th EXPERTISE


    It must be your lifetime passion!
    Continuous...
      ● Knowledge update


      ● Research


      ● Exercise


          Build and use our own hacking lab.




      Division of Research & Development        The Insight of Penetration Testing
5th BE TRUSTED




     Division of Research & Development   The Insight of Penetration Testing
               THANK YOU
                                       information security research and development




awareness portal http://tsf.web.id

twitter: http://twitter.com/xecureit

yahoogroups milis: keamananinformasi

facebook group: komunitas keamanan informasi

linkedin group: information security professional network

				
DOCUMENT INFO
Description: ethical hacking and penetration testing, white hacker