SlideShare a Scribd company logo

What is Penetration Testing?

B
btpsec

This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.

Related slideshows

Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
1 of 23
BTPSec Ⓒ 2015 What is Penetration Testing and how we do it!
BTPSec Ⓒ 2015 WE ARE BTPSEC And we are here to talk about the way we perform penetration testing We can be reached at: @btp_Sec info@btpsec.com
BTPSec Ⓒ 2015 PENETRATION TESTING SERVICES BTPSec info@btpsec.com Office: +1 323 7398539 Address: 10650 Kinnard Ave #113, Los Angeles, CA 90024
BTPSec Ⓒ 2015 AIM TO HIT Penetration Testing needs a clearly defined approach towards your job otherwise you will fail.
BTPSec Ⓒ 2015 …. WE TAKE OUR JOB SERIOUSLY
BTPSec Ⓒ 2015 Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 6
BTPSec Ⓒ 2015 • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 7
BTPSec Ⓒ 2015 • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 8
BTPSec Ⓒ 2015 • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 9
BTPSec Ⓒ 2015 • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen Cyber Security Incidents-2014 10
BTPSec Ⓒ 2015 • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 11
BTPSec Ⓒ 2015 • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 12
BTPSec Ⓒ 2015 • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 13 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.
BTPSec Ⓒ 2015 • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 14
BTPSec Ⓒ 2015 • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 15
BTPSec Ⓒ 2015 • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 16
BTPSec Ⓒ 2015 • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 17
BTPSec Ⓒ 2015 • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 18
BTPSec Ⓒ 2015 • A sample finding. Reporting 19
BTPSec Ⓒ 2015 Security re-evaluation of the company 20 • An executive summary report is delivered to the executives, which shows the general security status of the company. • A project closure meeting will be organized to discuss the report.
BTPSec Ⓒ 2015 • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 21
BTPSec Ⓒ 2015 BTPSEC OFFICES our office our office
BTPSec Ⓒ 2015 ANY QUESTIONS? You can find us at @btp_sec info@btpsec.com

More Related Content

What is Penetration Testing?

  • 1. BTPSec Ⓒ 2015 What is Penetration Testing and how we do it!
  • 2. BTPSec Ⓒ 2015 WE ARE BTPSEC And we are here to talk about the way we perform penetration testing We can be reached at: @btp_Sec info@btpsec.com
  • 3. BTPSec Ⓒ 2015 PENETRATION TESTING SERVICES BTPSec info@btpsec.com Office: +1 323 7398539 Address: 10650 Kinnard Ave #113, Los Angeles, CA 90024
  • 4. BTPSec Ⓒ 2015 AIM TO HIT Penetration Testing needs a clearly defined approach towards your job otherwise you will fail.
  • 5. BTPSec Ⓒ 2015 …. WE TAKE OUR JOB SERIOUSLY
  • 6. BTPSec Ⓒ 2015 Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 6
  • 7. BTPSec Ⓒ 2015 • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 7
  • 8. BTPSec Ⓒ 2015 • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 8
  • 9. BTPSec Ⓒ 2015 • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 9
  • 10. BTPSec Ⓒ 2015 • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen Cyber Security Incidents-2014 10
  • 11. BTPSec Ⓒ 2015 • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 11
  • 12. BTPSec Ⓒ 2015 • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 12
  • 13. BTPSec Ⓒ 2015 • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 13 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.
  • 14. BTPSec Ⓒ 2015 • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 14
  • 15. BTPSec Ⓒ 2015 • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 15
  • 16. BTPSec Ⓒ 2015 • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 16
  • 17. BTPSec Ⓒ 2015 • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 17
  • 18. BTPSec Ⓒ 2015 • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 18
  • 19. BTPSec Ⓒ 2015 • A sample finding. Reporting 19
  • 20. BTPSec Ⓒ 2015 Security re-evaluation of the company 20 • An executive summary report is delivered to the executives, which shows the general security status of the company. • A project closure meeting will be organized to discuss the report.
  • 21. BTPSec Ⓒ 2015 • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 21
  • 22. BTPSec Ⓒ 2015 BTPSEC OFFICES our office our office
  • 23. BTPSec Ⓒ 2015 ANY QUESTIONS? You can find us at @btp_sec info@btpsec.com