Teste de penetração
Teste de penetração
O artigo 32.º exige que o responsável pelo tratamento e o subcontratante implementem medidas técnicas e organizativas adequadas para garantir um nível de segurança adequado ao risco, incluindo;
a) A pseudonimização e encriptação de dados pessoais;
(b) a capacidade de garantir a confidencialidade, integridade, disponibilidade e resiliência contínuas dos sistemas e serviços de processamento;
(c) a capacidade de restabelecer a disponibilidade e o acesso aos dados pessoais em tempo hábil no caso de um incidente físico ou técnico;
(d) um processo para testar, avaliar e avaliar regularmente a eficácia das medidas técnicas e organizacionais para garantir a segurança do processamento.
Este requisito nos diz que testes de segurança regulares que incluem; testes de penetração, avaliações de vulnerabilidades e auditorias de segurança são requisitos do GDPR para atender à conformidade. Um teste de penetração poderá testar a eficácia dos controles de criptografia, bem como o nível de confidencialidade, disponibilidade e integridade em um sistema de processamento de dados.
Conclusão
O teste de penetração é uma parte importante do cumprimento do GDPR e também identificará riscos associados a violações de dados que incluem dados pessoais de residentes da UE. Atualmente, o não cumprimento do GDPR pode levar a multas de até € 20 milhões ou 4% da receita bruta anual de uma organização em todo o mundo. Esses regulamentos e penalidades também se aplicam a empresas fora da UE — o que pode incluir sua organização.
O Core Sentinel pode ajudá-lo a atender aos requisitos de teste de segurança do GDPR. Nossos testes de penetração também mitigarão o risco de perda de dados do ponto de vista da segurança, identificando pontos fracos em seus sistemas que podem levar ao comprometimento. Ligue hoje para um orçamento gratuito .
Teste De Caixa Preta Vs. Caixa Branca: Principais Diferenças Que Toda Organização Deve Saber
9 de junho de 2017No mundo de alta tecnologia de hoje, ninguém está realmente imune ao crime cibernético. Seja você uma grande corporação, entidade governamental, organização sem fins lucrativos, startup ou indivíduo; você é um alvo em potencial. À medida que as ferramentas de ataque se tornam mais sofisticadas e cada vez mais fáceis de encontrar, o número de ataques diários continua a crescer.
Então você acha que os hackers não estão interessados em você porque você é um alvo muito pequeno? Pense de novo. Se você estiver conectado à internet — você está em risco!
O que você pode fazer?
Uma resposta é o teste de penetração para simular um ataque no mundo real para identificar e eliminar vulnerabilidades que podem ser aproveitadas durante um ataque. No entanto, existem dois caminhos principais para isso:
- Teste de penetração de caixa branca
- Teste de penetração de caixa preta
Há também o teste de caixa cinza, que é uma combinação dos dois.
As seções a seguir ajudarão você a entender como esses testes diferem uns dos outros, seus prós e contras e como aproveitar cada técnica para sua proteção.
O que é teste de caixa preta e caixa branca?
Black Box Testing e White Box Testing são duas abordagens diferentes para testes de penetração, cada uma com seus próprios conjuntos de procedimentos, mas com um objetivo comum: descobrir vulnerabilidades de aplicativos da Web e móveis , rede ou sistema de computador sistema de computador que um hacker pode se infiltrar e explorar. A principal linha divisória entre as duas técnicas é se o testador de penetração tem ou não conhecimento prévio da infraestrutura interna, código-fonte e funcionalidade do aplicativo da Web de destino, rede ou dispositivo de computador que eles procuram explorar.
Quais são as diferenças entre essas duas técnicas?
O teste de caixa branca é quando o testador de penetração trabalha com conhecimento prévio do design, estrutura e código-fonte da rede ou do aplicativo da Web antes do teste.
O teste de caixa preta, por outro lado, é quando o testador não tem absolutamente nenhum conhecimento sobre o funcionamento interno ou a estrutura do sistema, dispositivo ou aplicativo que está sendo testado. Ambos os métodos têm seus prós e contras. Vamos examiná-los com mais detalhes.
Teste de caixa branca
Também conhecido como teste de caixa de vidro ou teste de caixa transparente, o escopo de conhecimento necessário para o teste de penetração de caixa branca pode incluir;
- O código-fonte do aplicativo;
- Protocolos de rede;
- Diagramas ou informações de projeto; e
- endereços IP
O teste de caixa branca é um teste de baixo nível, pois aprofunda o funcionamento interno de uma infraestrutura ou aplicativo da web . Assim, o teste pode ser executado em conjunto com uma revisão de código segura, ou revisão de código-fonte, a fim de identificar vulnerabilidades no nível do código antes que elas se tornem funcionais.
Estando intimamente familiarizados com a infraestrutura, os testadores de penetração de caixa branca são capazes de coletar informações detalhadas e obter insights profundos, permitindo que eles identifiquem e exponham sistematicamente bugs, falhas e vulnerabilidades no sistema de destino.
Vantagens do teste de caixa branca:
- Testes completos e aprofundados
- Economiza tempo, pois os detalhes importantes já são conhecidos
- Testes extensivos de áreas (incluindo eficiência de código e fluxo de programa) que seriam inacessíveis por meio de testes de caixa preta
Desvantagens do teste de caixa branca:
- O ataque não tem qualquer aparência de realismo
- O testador pensa e age de forma diferente de um invasor não informado
LEIA: GUIA DEFINITIVO PARA TESTES DE PENETRAÇÃO
Teste de caixa preta
O teste de caixa preta é mais um tipo de teste de alto nível, pois é feito da perspectiva de um invasor ou usuário final, sem qualquer informação prévia sobre a funcionalidade interna do aplicativo de destino. Devido à falta de conhecimento prévio do sistema de destino disponível para o pentester, o escopo do teste também pode ser muito mais amplo e muito menos específico do que o teste de caixa branca.
O teste de penetração de caixa preta tem várias facetas, que podem se estender a:
- Digitalização de rede
- Exploração de acesso remoto
- Engenharia social
- Vulnerabilidades no nível do servidor
Tudo isso traz uma grande vantagem, pois simula um ataque no mundo real.
Outras vantagens do teste de caixa preta incluem:
- Simula um cenário de ataque do mundo real.
- Resultados imparciais porque o testador trabalha independentemente do desenvolvedor.
- O testador aborda a infraestrutura de destino sem qualquer conhecimento prévio, assim como um invasor.
- Facilita a identificação de áreas fracas no desempenho funcional, ou frutos de baixo custo.
Desvantagens do teste de caixa preta:
- Testar cada caminho de programa possível pode ser demorado, potencialmente deixando certos cenários não testados devido a restrições de tempo.
- Alguns cenários são extremamente difíceis de testar sem um plano sólido ou especificações claras
Conclusão
Não existe uma decisão real certa ou errada ao escolher entre realizar um teste de penetração de caixa preta ou caixa branca. O método escolhido dependerá do cenário individual e dos requisitos de negócios em cada circunstância específica. Normalmente, um teste de penetração de caixa branca é executado inicialmente, com um teste de penetração de caixa preta executado após os problemas descobertos no teste de caixa branca terem sido resolvidos. Isso permite que vulnerabilidades residuais não detectáveis com uma abordagem de caixa branca sejam identificadas e corrigidas.
A Core Sentinel é uma equipe líder mundial de profissionais de segurança cibernética. Ao nos comissionar para um teste de penetração, sempre combinamos nossa estratégia com seus requisitos, cenários e orçamento específicos. Dessa forma, podemos ajudar a identificar e resolver problemas de segurança da maneira mais direta, eficiente e econômica.
As necessidades de cada organização são diferentes. Informe-nos se tiver dúvidas sobre como você pode se beneficiar dos testes de caixa branca e caixa preta. Estamos sempre prontos para responder a quaisquer perguntas que você possa ter.
What is PCI?
Payment Card Industry Data Security Standard (PCI-DSS), or just PCI for short, is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
The PCI DSS standard is administered by the PCI Security Standards Council (PCI-SSC) which is an independent body set up by the major credit card brands; (Visa, MasterCard, American Express, Discover and JCB.)
NOTE: It is these credit brands which are responsible for enforcing compliance, and not the PCI-SSC.
What is the penetration testing requirement for PCI?
PCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program.
PCI Penetration tests are required for both application and network components of the Cardholder Data Environment (CDE), the entire CDE perimeter, and any critical component which may impact the security of the CDE. This includes testing to ensure the proper segmentation of the CDE from out of scope systems.
The CDE is defined by PCI-DSS as;
“the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data”
The requirement also states that a penetration testing methodology must be implemented and based upon an industry accepted model such as NIST SP 800-115, OWASP Testing Guide, Open Source Security Testing Methodology Manual (“OSSTMM”), PTES or PTF.
PCI DSS Requirement 6.6, requires that public-facing web applications shall:
“address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.”
PCI Requirement 6.6 can be achieved by:
“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.”
Who can perform penetration testing for PCI?
According to Penetration Testing Guidance from the PCI Security Standards Council, the penetration tester must be both qualified and organisationally independent.
Organisationally independent means that the pen tester must not be associated in any way with either the implementation of the PCI environment, or its day to day operations, management, or support.
For the purpose of a qualified penetration tester, PCI DSS does not set a requirement for this, but recommends guidelines such as certifications and past experience of the penetration tester.
PCI references the following penetration testing certifications as indicators of skill level required for PCI penetration testing:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- CREST Penetration Testing Certifications
- GIAC: GPEN, GWAPT, GXPN
How often do I need to do perform pen testing for PCI?
According to PCI requirement 11.3, penetration testing must be performed at least annually or whenever there is a significant change anywhere in the CDE.
PCI penetration testing guidance gives example of what is considered a significant change such as; infrastructure or application upgrade or modification, or new system component installations. But PCI-DSS does not prescribe exactly what defines a significant change as it is variable based upon the risk assessment of the said environment and its configuration.
- If the change could impact the security of the network or allow access to cardholder data, it may be considered significant.
What About Vulnerability Assessments for PCI?
PCI Requirement 11.2 reads;
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).”
There is a big difference between internal and external vulnerability scanning for PCI:
For Internal vulnerability scans you must verify that four quarterly internal scans took place in the past 12 months and that rescans occurred until all “high-risk” vulnerabilities as defined by requirement 6.1 were resolved.
External scans, like internal ones, must be done at least quarterly. The difference is that the external scan must be done via an an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
Summary
Core Sentinel’s penetration tests comply with both PCI requirement 6.6 for web applications, and requirement 11.3 for internal/external infrastructure.
Our penetration testing consultants meet both the experience, and the certification recommendations as set out in the PCI SSC’s Penetration Testing Guidance. We are able to assist you with both PCI penetration testing, and PCI vulnerability scanning.
Call one of our OSCE / OSCP qualified consultants today to discuss how you can achieve the penetration testing requirements as set out by the PCI Security Standards Council.
References
PCI Penetration Testing Guidance
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
PCI DSS Quick Reference Guide
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdfOutros Artigos Que Você Pode Gostar:
CHAPTER 1: GETTING TO KNOW PENETRATION TESTING
A. WHAT IS PENETRATION TESTING?
Penetration Testing, pen testing, or ethical hacking is the process of assessing an application or infrastructure for vulnerabilities in an attempt to exploit those vulnerabilities, and circumvent or defeat security features of system components through rigorous manual testing. Those vulnerabilities may exist due to misconfiguration, insecure code, poorly designed architecture, or disclosure of sensitive information among other reasons. The output is an actionable report explaining each vulnerability or chain of vulnerabilities used to gain access to a target, with the steps taken to exploit them, alongside details of how to fix them and further recommendations. Each vulnerability discovered is assigned a risk rating which can be used to prioritise actionable remediation tasks.
B. WHAT ARE THE BENEFITS OF PENETRATION TESTING?
Penetration testing will reveal vulnerabilities that otherwise would not be discovered through other means such a vulnerability scan. The manual, human analysis means that false positives are filtered out. Furthermore, it demonstrates what access can be gained, as well as what data may be obtained through attempting to exploit vulnerabilities discovered in the way that a real world attacker would. This effectively demonstrates the real risk of a successful exploitation given each vulnerability used to gain access.
Penetration Testing will also test an organisations cyber defences. It can deployed to test the effectiveness of web applications firewalls (WAF), intrusion detection systems (IDS), and Intrusion prevention systems (IPS). When a penetration test is underway, these systems should automatically generate alerts and trigger off the organisations internal procedures resulting in a response from internal security operations teams.
References:
Penetration Testing enables organisations to meetregulatory compliance requirements such as PCI-DSS, and also addresses ISO 27001 control objective A12.6.
http://www.itgovernance.co.uk/iso27001_pen_testing.aspx
Finally penetration testing provides an expert opinion from an independent third party outside of the target organisation. This can help internal security teams influence management decisions in their favour and obtain more budget for security enhancements.Finally penetration testing provides an expert opinion from an independent third party outside of the target organisation. This can help internal security teams influence management decisions in their favour and obtain more budget for security enhancements.
C. WHO NEEDS PENETRATION TESTING AND WHY DO THEY NEED IT?
Organisations with an online presence,webormobile application, or connected digital infrastructure should perform penetration testing. A penetration test should be performed on any type of connected, and even non-connected technology after implementation or development, and prior to its go-live phase. This may include a new web ormobile application,network infrastructure, or hardened kiosk client. It is also recommended to perform a penetration test on a periodic basis and also after changes are made as new vulnerabilities are discovered over time and need to be identified and validated as to how they can be exploited or chained with other vulnerabilities to gain access to a target.
Also, organisations that require to meet compliance standards such asPCI-DSS v.3.0 requirement 11.3where penetration testing is required on an annual basis or after any significant change also need to perform penetration testing.
D. WHY IS IT IMPORTANT TO CONDUCT PENETRATION TESTING?
Organisations should conduct penetration testing for the following reasons:
- To ensure the effectiveness of current controls and how they are implemented and configured.
- In order to develop controls to address weaknesses discovered in the infrastructure, application, or process. (Hardware, Software, and People.)
- To examine the effects of multiple vulnerabilities and how they can be chained together.
- To assess the effectiveness of an application’s input validation controls. Whereever user input is entered, rigorous fuzz testing is performed to make sure that it only sanitized input is accepted.
- To improve security response time. A penetration test can be used to identify how different teams respond to an intrusion and improve internal incident response processes and procedures.
E. WHAT IS THE DIFFERENCE BETWEEN PENETRATION TESTING & VULNERABILITY ASSESSMENT?
Penetration Testing and Vulnerability Assessments should both be part of an organisation’s security program.
Vulnerability Assessments should be performed frequently across infrastructure and applications. A vulnerability assessment checks for known vulnerabilities and security misconfigurations for which a plugin has been developed in order to perform a specific check it is written to detect. Dedicated software tools such as Nessus and Qualys are used. It does not focus on exploiting vulnerabilities, the results of chaining multiple vulnerabilities together, or have the ability to use information gathered intelligently in order to innovate a customized an attack. The scope of a vulnerability assessment will normally be much larger and include a complete list of known vulnerabilities risked ranked with a CVSS score across an entire range of targets. Also, as a vulnerability assessment does not validate results there is always room for false positives.
Penetration Testing is goal focussed. It often targets a specific application or system component within an agreed scope rather than everything as a whole.
Unlike a vulnerability assessment, when performing a penetration test the vulnerabilities are discovered through thorough manual probing using a customised toolset that would otherwise not be uncovered in a vulnerability assessment. Often customised scripts are written within the duration of the test in order to uncover security weaknesses. Furthermore, penetration testing requires that the penetration tester actively exploits the vulnerabilities discovered. Often multiple vulnerabilities are exploited in order to successfully gain access. It requires an intelligent and creative way of thinking such that the tester is able to creatively chain vulnerabilities together from exploiting multiple vulnerabilities at the same time, and in symphony, in order to gain access to a target.
F. WHAT ARE THE TYPES OF PENETRATION TESTS?
Following is a summary of each type of penetration test which all follow different methodologies and utilize different frameworks.
Web Application Penetration Test. These tests focus on the various vulnerabilities found in web application components; including frameworks, server software, API’s, forms, and anywhere where user input is accepted.
Mobile Application Penetration Test. A mobile penetration test focuses on trying to exploit how a mobile application accepts user input, how securely it is stored on the phone, how securely data is transmitted across the internet, as well as all the web service vulnerabilities which may be present in the API.
External Infrastructure Test.Checks for ports open on all externally facing ranges, attempts are made to fingerprint and exploit services discovered as well as bypass authentication mechanisms and brute force VPN gateways.
Internal Infrastructure Penetration Test. This will be an attempt to get full system administrator privileges from within the internal network. Checks are done to search for vulnerable services and software, and exploits are used to obtain access. Network traffic is normally sniffed whilst ARP poisoning is executed in order to capture credentials and other sensitive traffic in transit.
Wireless Penetration Testing.At a high level, this involves attempts to crack WEP and WPA encryption in order to obtain access. Other attacks such as Man in the middle (MitM) attacks are attempted, as well as tricking wireless clients into connecting to a dummy access point.
End point / Kiosk PC Penetration Test. These penetration tests attempt to break out of a kiosk PC or other locked down device and gain elevated privileges or access to sensitive data that should otherwise not be accessible.
CHAPTER 2: PENETRATION TESTING PREREQUISITES
Understand Business Requirement. This is the most imzportant part of the engagement. You must have a clear understanding of why the customer requires the penetration test? Is it good practice driven? Part of a new launch? Or compliance driven? The answers to these types of questions will be the dictate how the rest of the engagement is approached.
Define Scope. Define what is in scope and what is specifically out of
scope. There also needs to be a clear definition of what is allowed and
what isn’t allowed in the rules of engagement.
Review Past Threats and Vulnerabilities. Although It is generally good
practice to perform a review on what was previously discovered in a
penetration test, it is also mandatory as part of PCI requirement 11.3. This review allows you to specifically focus on things that were identified previously and make sure those same issues have either been remediated or not arisen again.
Get Authorization. The actions performed during a penetration test would normally be considered illegal without prior authorization. This can land you in some legal hot water unless you have your “Get Out of Jail Free” paperwork signed off. A good template to use as an example is here: http://www.counterhack.net/permission_memo.html
Agree on Timing. There may be certain times in an organisation where the risk of interference or downtime is considered a higher consequence; such as periods of high utilization or when project implementations and upgrades are taking place. Because of this, make sure you agree on an acceptable time window to perform the penetration test.
Whitelist Source IPs. The target organisation of a penetration test should be notified of the source IPs from where you will be performing the test from. There are a number of reasons for this, but in order to properly perform a penetration test without interference from a WAF or an IPS, you should request that your source IPs are whitelisted on such appliances.
Confirm internal contacts available. It’s important that you agree on a communication plan and on who your internal contacts will be within the organisation to be available during the penetration test. This is not only so you can get them to support you during the testing process, but it’s also a good idea to notify the target organisation immediately if a vulnerability is discovered that you deem to be ‘Critical”.
References:
B. PENETRATION TESTING CHECKLIST
There are a large suite of penetration testing tools which you may utilize within your arsenal depending on what you are testing. This topic is too big to detail every tool for every type of test. Most of these tools ship with Kali Linux which is considered the penetration tester’s Linux distribution. However, the following are are tools you should get to know well:
Nmap was traditionally developed as a host discovery and port scanner in order to “map” out the a network. But can now also be used for host fingerprinting, service detection, and vulnerability scanning — effectively enumerating all services running on any given host(s) including vulnerabilities detected on them.https://nmap.org/
Netcat. Often referred to as the swiss army knife of the network, Netcat can be used for terminal connectivity, chat sessions, file transfers, port redirection, and as well as for launching forward and reverse shells on connect. An excellent cheat sheet by SANS is here:https://www.sans.org/security-resources/sec560/netcat_-cheat_sheet_v1.pdf
Burp Suite. Burp is a web application intercepting proxy which is capable of spidering and downloading a website, modifying web requests on the fly, fuzzing user input fields and values, analysing session token ID randomness, as well as automatically scanning HTTP requests for vulnerabilities. It is used mainly in web and mobile application penetration tests where web requests are sent to a server.https://portswigger.net/burp/
SQLMap is a full blown automatic database takeover tool. It can be used to identify SQL injection vulnerabilities, and then exploit them in order to download entire databases, launch commands remotely, and spawn a remote OS shell.http://sqlmap.org/
Nessus is a vulnerability scanner. A vulnerability scanner is often used as part of a penetration test in order to detect missing patches and discover “low hanging fruit.” A vulnerability scan will quickly find scan detectable vulnerabilities which can be used as a basis to launch an exploit against in order to gain quick access.https://www.tenable.com/products/nessus-vulnerability-scanner
Metasploit Framework is an exploit framework used to set up and launch exploits at vulnerable hosts. It can also be used for enumeration tasks as well as a listener for incoming reverse shells and meterpreter shells.https://www.metasploit.com/
Python.It is recommended that you master at least one high level scripting language. If you were only going to learn one language, Python would be it. It is easy to write and well adopted within penetration testing and exploit development circles.https://www.python.org/
Bash. Learning the bash shell and how to script with associated linux command line tools during a penetration test is essential. You should be able to quickly put together custom scripts to filter and format data for presentation or input into another tool.
Googleis where you will find open source information that will prove interesting during a penetration test, such as the discovery of potentially sensitive documents that shouldn’t be publicly searchable. Johnny Long wrote an excellent book on this topic. There is also a Google Hacking Database (GHDB):https://www.exploit-db.com/google-hacking-database/
CHAPTER 3: EXECUTING PENETRATION TESTING
A. PENETRATION TESTING STRATEGY
It’s important to allocated time wisely and not get tunnel visioned attempting to break into one part of a target system. Due to the time constraints of a penetration testing engagement, getting stuck on a red herring will mean that you will miss the opportunity to find other critical flaws that you could have exploited in order to gain access. It’s also worth noting that the reporting component will also take a considerable amount of time. For this reason making sure you have a properly documented process is important. When planning for a penetration test it is worth allocating a fixed amount of time per component or function as well as reporting.
B. PENETRATION TESTING METHODOLOGY
It is important to follow an industry methodology as a baseline. You can then build your own processes and procedures for testing on top of that.
OWASP testing guide –Contains a best practice framework and set of tests to perform when conducting a web application penetration test.https://www.owasp.org/images/1/19/OTGv4.pdf
PCI Penetration testing guide – Provides guidance for conducting penetration tests under PCI requirement 11.3.https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf
Penetration Testing Execution Standard – A standard put together by a bunch of InfoSec professionals with the goal of developing a common framework for penetration tests.http://www.pentest-standard.org/
NIST 800-115 – A high level technical guide for conducting information security tests and security assessments.http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Penetration Testing Framework –Is a free penetration testing framework and walkthrough covering various phases of penetration testing in detail.http://www.pen-tests.com/penetration-testing-framework.html
Information Systems Security Assessment Framework (ISSAF) – An excellent reference for penetration testing which covers everything from project management to testing.https://sourceforge.net/projects/isstf/
Open Source Security Testing Methodology Manual (“OSSTMM”) –A penetration testing methodology security testing, security analysis, and security metrics, among other things.
C. PENETRATION TESTING DO’S AND DONT’S
- Make sure you do everything as discussed and set out within the agreed scope.
- Make sure you do get authorization signed off to perform the penetration test.
- Do not ever perform a penetration test without prior approval.
- Do not perform testing outside of the agreed scope of the test.
D. HOW TO ORGANISE THE DATA COLLECTED IN PENETRATION TESTS
Detailed notes are important, including lots of screenshots as evidence. For everything you compromise, you will need to explain in detail with screenshots so there will be a lot of cut and paste. Examples of code snippets used should also be included as well as commands entered. You can use a program such as word, or cherrytree for this: http://www.giuspen.com/cherrytree/
The notes and data collected in the course of the penetration testing engagement will be need to be thorough enough so that the attacks can be explained in detail in the final report so that the customer can use to reproduce the attacks themselves.
CHAPTER 4: POST PENETRATION TESTING QUESTIONS
A. INTERPRETING RESULTS OF PENETRATION TESTING
Reports should contain risk ranked vulnerabilities with the highest risk rated items at the top of the report. Customers should prioritise remediation tasks starting with the highest risks. Risk owners should be identified and assigned items from the report in and given a deadline to remediate based on the risk rating. For example; Critical – 1 week, High – 1 month, Medium – 2 months, Low – 3 months.
B. HOW TO VALIDATE RESULTS OF PENETRATION TESTING?
This should have already been done by the penetration tester. The final report should contain details and steps with screenshots showing exactly how certain vulnerabilities were exploited. Thus there should be no false positives in the report.
C. HOW OFTEN SHOULD PENETRATION TESTING BE DONE?
Penetration should be done as part of any secure software development lifecycle, alongside a source code review and secure development standards. It should be performed prior to going live, as well as after going live. Following that, it should be performed periodically on any digital system.
PCI requirement 11.3 requires that penetration testing is performed at least annually and after any significant change.
D. WHEN SHOULD A RE-TEST BE DONE?
At least one re-test should be offered by the penetration tester as part of an engagement. The client should request that a re-test is performed as soon as they have completed remediation tasks. The re-test will test for the vulnerabilities discovered in the initial test in order to validate whether they have been successfully remediated.
CHAPTER 5: QUALIFICATIONS OF PENETRATION TESTERS AND THE COST OF THE SERVICE
A. WHAT CERTIFICATIONS DO PENETRATION TESTERS NEED TO HAVE?
There is currently no requirement for a penetration tester to hold any certifications, however it is recommended that a professional penetration tester holds at least one of the following;
Offensive Security Certified Professional (OSCP)– This would be considered the de facto standard for an entry level penetration tester and recommended as a bare minimum level of skill.
Offensive Security Certified Expert (OSCE )– This validates the skillset of a more advanced penetration tester.
CREST Registered Penetration Tester (CRT-Pen)– We don’t believe this one holds too much weight from a technical point of view in comparison to the others but is gaining popularity as a compliance like certification.
The PCI Security Standards Council also lists these certifications as indications of skill level and competence.https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
B. WHY PENETRATION TESTING SHOULD BE DONE BY EXPERTS
Penetration testing is a niche skill which takes a lot of hands on experience to develop. Not only does it require an exceptional attention to detail, but an excellent ability to write high quality technical reports as the report is the deliverable of the engagement.
C. HOW MUCH DOES PENETRATION TESTING COST?
This varies depending on the type of engagement, scope, and size of what needs to be tested. As such it is best to get quoted accurately. Factors such as complexity of the environment, methodology, experience and qualifications of the penetration tester, whether the test is performed onsite, and what re-test work is required are all things which will affect cost.
OTHER ARTICLES YOU MIGHT LIKE:
Characteristics of a Good Penetration Tester
How to Effectively Build Hacker Personas
Black Box vs. White Box Testing: Key Differences Every Organisation Should Know
Comentários
Postar um comentário