penetration testing the importance of your bank s perimeter security
Download
Skip this Video
Download Presentation
Penetration Testing The Importance of Your Bank’s Perimeter Security

Loading in 2 Seconds...

play fullscreen
1 / 30

Penetration Testing The Importance of Your Bank’s Perimeter Security - PowerPoint PPT Presentation


  • 421 Views
  • Uploaded on

Penetration Testing The Importance of Your Bank’s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group A Brief History of Hacking The Penetration Tester Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Penetration Testing The Importance of Your Bank’s Perimeter Security' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
penetration testing the importance of your bank s perimeter security

Penetration TestingThe Importance of Your Bank’s Perimeter Security

Presented by:

Brian Hunter & Philip Diekhoff

BKD Risk Management Group

the penetration tester
The Penetration Tester
  • Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network
  • EH works under no constraints other than those that would apply to ordinary users
  • EH will use same methodology & tools used by Hackers
types of penetration testing
Types of Penetration Testing
  • External Penetration Testing
    • Taking role of hacker to gain access from Internet
  • Internal Penetration Testing
    • Taking on role of disgruntled employee or third-party vendor to gain access from inside network
different types of penetration testing
Different types of Penetration Testing

What kinds of testing can be done?

  • No knowledge –hacker from Internet. Test is performed with no information about organization
  • Knowledgeable –former employee. Test is performed with some knowledge but no access
  • Insider –consultants or vendors. Test is performed inside with physical access to network. Knowledge is limited
  • Knowledgeable insider –staff. Test is performed inside with knowledge. This is to test how secure network is & whether employees can access resources they shouldn’t be able to
security offerings what s out there
Security Offerings – What’s out there?
  • Network Scanning
  • Vulnerability Scanning
  • Penetration Testing

What is the difference?

network scanning
What is it?

Uses port scanners (ex. Nmap, Superscan)

Scans network to determine what devices are there, what ports are open & what services are running on those ports

Fast, efficient but doesn’t probe for vulnerabilities

Network Scanning
vulnerability scanning
Vulnerability Scanning

What is it?

  • Identifies network hosts & services
  • Identifies network operating systems
  • Identifies applications running on those devices
  • Identifies potential vulnerabilities pertinent to those systems & applications
  • Based on a database of vulnerabilities & not actual testing
  • Fairly fast, provides list of vulnerabilities but has many false positives
penetration testing
Penetration Testing

What is it?

  • Set of procedures designed to circumvent existing security controls of specific system or organization
  • Encompasses network scanning & vulnerability scanning, but includes human element & verification of vulnerabilities
  • True hacker approach, verifies vulnerabilities but takes time & expertise
why do i need penetration testing
Why do I Need Penetration Testing?
  • Risk assessment
  • Verification of security controls
  • Identify vulnerabilities
  • Regulatory compliance
  • Anticipate expenditure
it won t happen to me
It Won’t Happen to Me
  • No one would be interested in small organization like us
  • They think IT department has everything under control or
  • People become complacent with their network

Consider This!

check this out
Check This Out
  • http://www.privacyrights.org/ar/ChronDataBreaches.htm
  • Hacked Sites
questions to ask
Questions to Ask
  • What is their methodology?
  • Is methodology proven, has it been successfully used before?
  • Ask for references—more is better!
  • How long have they been performing this kind of work?
things to keep in mind
Things to Keep in Mind
  • Need for independence
  • Testing of any type can be disruptive & damaging
  • Are we talking about network scanning, vulnerability scanning or penetration testing – compare scopes & methodologies
  • There is no one standard methodology for penetration testing, but there has been some standardizations
key methodology steps
Key Methodology Steps
  • Scope of work/engagement letter
  • Footprinting
  • Scanning
  • Enumeration
  • Penetration
  • Privilege escalation
  • Find sensitive data
  • Conference with client (discuss findings)
  • Report (contains findings & recommendations)
footprinting
Footprinting
  • Public information gathering to determine organization’s demographics, locations, address, hosts, etc.
  • Organizational reconnaissance
  • Network reconnaissance
  • Domain names
  • IP addresses
  • Pinpoint servers (web, email, DNS, etc.)
  • Employee information
  • Search newsgroups for company information
scanning
Scanning
  • Assess & identify listening services to focus attack on most promising avenues of entry
  • TCP and UDP port scanning
  • Locate publicly accessible devices on IP segment
  • Identify open ports on devices
  • Stealth is required not to alert Intrusion Detection Systems
enumeration
Enumeration
  • Enumerate network devices & determine what is running & what it is running on
  • Identify hardware
  • Identify operating system
  • Identify services & their version
  • Identify applications
  • Identify potential vulnerability
penetration
Penetration
  • Use information from previous steps to gain access to systems.
  • Using all information gathered so far, prioritize targets by the severity of vulnerabilities found
  • Systematically address all potential vulnerabilities on all systems
  • Never perform Denial of Service (DoS) attacks
        • Demo: RPC Exploit
privilege escalation
Privilege Escalation
  • Depending on privilege level obtained from penetration phase, it may be necessary to attempt to increase privilege level to gain total control of system
          • Demo: RPC Exploit
          • Demo: PWDump
          • Demo: File
find sensitive data a k a pilfer
Find Sensitive Data – a.k.a. Pilfer
  • Footprint & scan internal network
  • Identify internal servers & their purpose
  • Attempt to locate sensitive information
  • Crack password files
  • Databases
  • Accounting programs
          • Demo: LC4
exit meeting
Exit Meeting
  • Meet & discuss findings
  • Address largest security findings so you may begin immediately fixing them
  • Get all your questions answered
report
Report
  • The real value in penetration testing is in the report
  • It should identify vulnerabilities
  • It should give recommendations on fixing those vulnerabilities
what will it take to keep me out
What Will it Take to Keep Me Out?

Not as much as you might think

  • New expensive equipment is not usually required
  • Most security issues can be addressed quickly & easily
  • Most time & energy will be spent on security awareness
what will it take to keep me out cont
What Will it Take to Keep Me Out? (cont.)
  • Understand that risks are real
  • Be proactive with your IT security
  • Clear, concise policies that define security requirements & expectations of employees
  • Patches – keep all computers & network devices current with latest service packs, patches and updates
slide27
What Will it Take to Keep Me Out? (cont.)
  • Configure routers & firewalls to block all unnecessary traffic
  • Develop an “Incident Response Team”
  • Have testing performed regularly
  • Use intrusion detection systems
  • Remember, all testing/scanning is snapshot of network at that point in time
common entry points
Common Entry Points

When locking down your network, pay

attention to most common points of entry

for hackers

  • Misconfigured routers
  • Misconfigured firewalls
  • Misconfigured Internet servers
  • Unpatched software
  • Unsecured remote access
  • Accounts with excessive permissions
  • Weak & easily guessed passwords
key take aways
Key Take Aways
  • It is not a matter of “IF” but “WHEN”
  • Be proactive before you need to be reactive
  • Understand the importance of the methodology
  • Retest after significant changes
  • It’s a process not a destination
how to contact us
How to Contact Us

Brian Hunter

Supervising Consultant

Springfield, MO

417.865.8701

[email protected]

Philip Diekhoff

Senior Consultant

Springfield, MO

417.865.8701

[email protected]

ad