Penetration Testing The Importance of Your Bank’s Perimeter Security - PowerPoint PPT Presentation

Penetration testing the importance of your bank s perimeter security l.jpg
Download
1 / 30

Penetration Testing The Importance of Your Bank’s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group A Brief History of Hacking The Penetration Tester Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network

Related searches for Penetration Testing The Importance of Your Bank’s Perimeter Security

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Penetration Testing The Importance of Your Bank’s Perimeter Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Penetration testing the importance of your bank s perimeter security l.jpg

Penetration TestingThe Importance of Your Bank’s Perimeter Security

Presented by:

Brian Hunter & Philip Diekhoff

BKD Risk Management Group


Slide2 l.jpg

A Brief History of Hacking


The penetration tester l.jpg

The Penetration Tester

  • Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network

  • EH works under no constraints other than those that would apply to ordinary users

  • EH will use same methodology & tools used by Hackers


Types of penetration testing l.jpg

Types of Penetration Testing

  • External Penetration Testing

    • Taking role of hacker to gain access from Internet

  • Internal Penetration Testing

    • Taking on role of disgruntled employee or third-party vendor to gain access from inside network


Different types of penetration testing l.jpg

Different types of Penetration Testing

What kinds of testing can be done?

  • No knowledge –hacker from Internet. Test is performed with no information about organization

  • Knowledgeable –former employee. Test is performed with some knowledge but no access

  • Insider –consultants or vendors. Test is performed inside with physical access to network. Knowledge is limited

  • Knowledgeable insider –staff. Test is performed inside with knowledge. This is to test how secure network is & whether employees can access resources they shouldn’t be able to


Security offerings what s out there l.jpg

Security Offerings – What’s out there?

  • Network Scanning

  • Vulnerability Scanning

  • Penetration Testing

    What is the difference?


Network scanning l.jpg

What is it?

Uses port scanners (ex. Nmap, Superscan)

Scans network to determine what devices are there, what ports are open & what services are running on those ports

Fast, efficient but doesn’t probe for vulnerabilities

Network Scanning


Vulnerability scanning l.jpg

Vulnerability Scanning

What is it?

  • Identifies network hosts & services

  • Identifies network operating systems

  • Identifies applications running on those devices

  • Identifies potential vulnerabilities pertinent to those systems & applications

  • Based on a database of vulnerabilities & not actual testing

  • Fairly fast, provides list of vulnerabilities but has many false positives


Penetration testing l.jpg

Penetration Testing

What is it?

  • Set of procedures designed to circumvent existing security controls of specific system or organization

  • Encompasses network scanning & vulnerability scanning, but includes human element & verification of vulnerabilities

  • True hacker approach, verifies vulnerabilities but takes time & expertise


Why do i need penetration testing l.jpg

Why do I Need Penetration Testing?

  • Risk assessment

  • Verification of security controls

  • Identify vulnerabilities

  • Regulatory compliance

  • Anticipate expenditure


It won t happen to me l.jpg

It Won’t Happen to Me

  • No one would be interested in small organization like us

  • They think IT department has everything under control or

  • People become complacent with their network

Consider This!


Check this out l.jpg

Check This Out

  • http://www.privacyrights.org/ar/ChronDataBreaches.htm

  • Hacked Sites


Data breaches 2006 analysis l.jpg

Data Breaches 2006: Analysis


Questions to ask l.jpg

Questions to Ask

  • What is their methodology?

  • Is methodology proven, has it been successfully used before?

  • Ask for references—more is better!

  • How long have they been performing this kind of work?


Things to keep in mind l.jpg

Things to Keep in Mind

  • Need for independence

  • Testing of any type can be disruptive & damaging

  • Are we talking about network scanning, vulnerability scanning or penetration testing – compare scopes & methodologies

  • There is no one standard methodology for penetration testing, but there has been some standardizations


Key methodology steps l.jpg

Key Methodology Steps

  • Scope of work/engagement letter

  • Footprinting

  • Scanning

  • Enumeration

  • Penetration

  • Privilege escalation

  • Find sensitive data

  • Conference with client (discuss findings)

  • Report (contains findings & recommendations)


Footprinting l.jpg

Footprinting

  • Public information gathering to determine organization’s demographics, locations, address, hosts, etc.

  • Organizational reconnaissance

  • Network reconnaissance

  • Domain names

  • IP addresses

  • Pinpoint servers (web, email, DNS, etc.)

  • Employee information

  • Search newsgroups for company information


Scanning l.jpg

Scanning

  • Assess & identify listening services to focus attack on most promising avenues of entry

  • TCP and UDP port scanning

  • Locate publicly accessible devices on IP segment

  • Identify open ports on devices

  • Stealth is required not to alert Intrusion Detection Systems


Enumeration l.jpg

Enumeration

  • Enumerate network devices & determine what is running & what it is running on

  • Identify hardware

  • Identify operating system

  • Identify services & their version

  • Identify applications

  • Identify potential vulnerability


Penetration l.jpg

Penetration

  • Use information from previous steps to gain access to systems.

  • Using all information gathered so far, prioritize targets by the severity of vulnerabilities found

  • Systematically address all potential vulnerabilities on all systems

  • Never perform Denial of Service (DoS) attacks

    • Demo: RPC Exploit


Privilege escalation l.jpg

Privilege Escalation

  • Depending on privilege level obtained from penetration phase, it may be necessary to attempt to increase privilege level to gain total control of system

    • Demo: RPC Exploit

    • Demo: PWDump

    • Demo: File


Find sensitive data a k a pilfer l.jpg

Find Sensitive Data – a.k.a. Pilfer

  • Footprint & scan internal network

  • Identify internal servers & their purpose

  • Attempt to locate sensitive information

  • Crack password files

  • Databases

  • Accounting programs

    • Demo: LC4


Exit meeting l.jpg

Exit Meeting

  • Meet & discuss findings

  • Address largest security findings so you may begin immediately fixing them

  • Get all your questions answered


Report l.jpg

Report

  • The real value in penetration testing is in the report

  • It should identify vulnerabilities

  • It should give recommendations on fixing those vulnerabilities


What will it take to keep me out l.jpg

What Will it Take to Keep Me Out?

Not as much as you might think

  • New expensive equipment is not usually required

  • Most security issues can be addressed quickly & easily

  • Most time & energy will be spent on security awareness


What will it take to keep me out cont l.jpg

What Will it Take to Keep Me Out? (cont.)

  • Understand that risks are real

  • Be proactive with your IT security

  • Clear, concise policies that define security requirements & expectations of employees

  • Patches – keep all computers & network devices current with latest service packs, patches and updates


Slide27 l.jpg

What Will it Take to Keep Me Out? (cont.)

  • Configure routers & firewalls to block all unnecessary traffic

  • Develop an “Incident Response Team”

  • Have testing performed regularly

  • Use intrusion detection systems

  • Remember, all testing/scanning is snapshot of network at that point in time


Common entry points l.jpg

Common Entry Points

When locking down your network, pay

attention to most common points of entry

for hackers

  • Misconfigured routers

  • Misconfigured firewalls

  • Misconfigured Internet servers

  • Unpatched software

  • Unsecured remote access

  • Accounts with excessive permissions

  • Weak & easily guessed passwords


Key take aways l.jpg

Key Take Aways

  • It is not a matter of “IF” but “WHEN”

  • Be proactive before you need to be reactive

  • Understand the importance of the methodology

  • Retest after significant changes

  • It’s a process not a destination


How to contact us l.jpg

How to Contact Us

Brian Hunter

Supervising Consultant

Springfield, MO

417.865.8701

bdhunter@bkd.com

Philip Diekhoff

Senior Consultant

Springfield, MO

417.865.8701

pdiekhoff@bkd.com


  • Login