Network Penetration Testing - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Network Penetration Testing

Description:

Defining the Penetration Test. Attack Profiles. Engagement Approach. Vendor Selection ... Not all penetration tests are created equal... Why THEIR methodology ... – PowerPoint PPT presentation

Number of Views:1680
Avg rating:3.0/5.0
Slides: 26
Provided by: jacka
Category:

less

Transcript and Presenter's Notes

Title: Network Penetration Testing


1
Network Penetration Testing
  • Jack Jones, CISSP, CISA
  • Director of Information Security
  • Nationwide

2
Purpose
  • The Network Penetration Test
  • What it is...
  • What it isnt
  • What it should be...
  • How to get the most from it...

3
Agenda
  • Defining the Penetration Test
  • Attack Profiles
  • Engagement Approach
  • Vendor Selection
  • Rules of Engagement
  • Reporting
  • Making Use of the Results

4
Defining the Test
  • Three Primary Purposes...
  • Punching a Ticket
  • Proving a Point
  • Testing

5
Defining the Test
  • Understand the Limitations
  • Point-in-time snapshot
  • Can NEVER be considered 100 comprehensive
  • Constrained by time and resources

6
Defining the Test
  • Setting Test Goals
  • Audit versus validation
  • What constitutes success/failure?
  • Breach the perimeter?
  • Gain control?
  • Access critical or sensitive data?
  • All of the above (a.k.a. unrestricted)?
  • Technical versus operational emphasis

7
Attack Profiles
  • External Testing
  • Internet
  • Dial-up
  • Other (e.g., via trusted networks...)
  • Internal Testing
  • Social Engineering
  • Denial of Service (DoS)
  • Applications?

8
Approach
  • Overt versus Covert?
  • Informed versus Blind?
  • Pre-assessment versus Post-assessment?

9
Approach
  • Overt Advantage
  • Better coordination less risk
  • Covert Advantages
  • More accurate results
  • Better test of personnel and procedure

10
Approach
  • Informed Advantages
  • Better use of engagement time/resources
  • More thorough results
  • Less risk
  • Levels the playing field...
  • Blind Advantages

11
Approach
  • Pre-assessment Advantages
  • More realistic results
  • More effective for proving a point
  • Post-assessment Advantage
  • Better as a test/audit
  • More thorough

12
Vendor Selection
  • Everybody seems to offer it.
  • How to choose?

13
Vendor Selection
  • Keys to finding the right vendor
  • Experience (who)
  • Methodology (how)
  • Rationale (why)
  • How much ()

14
Vendor Selection
  • Experience
  • No ex-hackersplease
  • Professional organizations
  • Strong technical backgrounds
  • Certifications are a plus

15
Vendor Selection
  • Methodology
  • Engagement Approach
  • Attack Profiles
  • Tools (commercial versus proprietary)
  • Communication
  • Reporting

16
Vendor Selection
  • Rationale
  • Not all penetration tests are created equal...
  • Why THEIR methodology
  • Make them explain it to you

17
Rules of Engagement
  • The First Rule of Medicine
  • Do No Harm

18
Rules of Engagement
  • Lessen Risk of...
  • Accidental Denial of Service
  • Destruction of Data
  • Better results
  • Clearer Communications Expectations
  • Greater Flexibility
  • Due Diligence!

19
Rules of Engagement
  • Critical Rules
  • Clearly defined goals
  • Scope
  • What is off-limits (systems, networks, data,
    activities)
  • Timing
  • Lines of communication
  • Issue resolution

20
Reporting
  • Whats That Again?

21
Reporting
  • Reporting is key to realizing value
  • Reports Should NOT be...
  • Computer-generated boiler-plate

22
Reporting
  • Reports Should Have...
  • No false positives
  • Prioritized results
  • Separate executive and technical sections
  • Exposures described in terms of business risk!
  • Resolution resource requirements
  • Real-world recommendations

23
Using the Results
  • Why Were We Doing This
  • in the First Place?

24
Using the Results
  • Identify and Understand
  • Were the goals met?
  • Is further assessment required?
  • What are the most severe exposures?
  • Resolution Efforts
  • Prioritized from a cost/risk perspective
  • Sponsored by management
  • Implemented!

25
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com