Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What is Penetration Testing?

1,175 views

Published on

This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.

Published in: Technology

What is Penetration Testing?

  1. 1. BTPSec Ⓒ 2015 What is Penetration Testing and how we do it!
  2. 2. BTPSec Ⓒ 2015 WE ARE BTPSEC And we are here to talk about the way we perform penetration testing We can be reached at: @btp_Sec info@btpsec.com
  3. 3. BTPSec Ⓒ 2015 PENETRATION TESTING SERVICES BTPSec info@btpsec.com Office: +1 323 7398539 Address: 10650 Kinnard Ave #113, Los Angeles, CA 90024
  4. 4. BTPSec Ⓒ 2015 AIM TO HIT Penetration Testing needs a clearly defined approach towards your job otherwise you will fail.
  5. 5. BTPSec Ⓒ 2015 …. WE TAKE OUR JOB SERIOUSLY
  6. 6. BTPSec Ⓒ 2015 Agenda • What is a Pentest? • Why should you perform pentesting? • What are the benefits of Pentesting? • How are Pentests performed? • What are the targets of a pentest? • Attacker profiles in a pentest • When to perform a pentest? • Reporting • Evaluation • Verification tests Pentest Service 6
  7. 7. BTPSec Ⓒ 2015 • A pentest is a set of authorized cyber attacks, in order to discover and verify the vulnerabilities of an information system. • In a typical pentest session, vulnerabilities are carefully exploited. – Customer will be informed of all steps. – Tests will be performed against all systems of the customer. What is a Pentest? 7
  8. 8. BTPSec Ⓒ 2015 • Depicting the current security level of a company • Identifying the gaps, and security consciousness of both systems and human resources against possible breaches. • Pentests find out; How big and what sensitive information will be lost in case of a cyber attack. Why to perform a Pen-test? 8
  9. 9. BTPSec Ⓒ 2015 • Independent IT-Security Institute reports around 150,000 malwares were produced , in 2014. • AV-TEST Institute reports 390,000 new malwares every day. • Kaspersky LAB reports that; – 6,167,233,068 malwares were found in year 2014. – 1,432,660,467 mobile attacks were discovered in 2014. – Among the surveyed companies involved in E-Business; half of them have suffered losses because of cyber attacks. • Different attack types and methods are discovered each day. Why to perform a Pen-test 9
  10. 10. BTPSec Ⓒ 2015 • Carbanak: A cyber gang with financial motives Have stolen 1 billion US Dollars (using malware and remotely) in 30 different countries. • Sony: A no pity cyber attack, causing a big reputation loss by company. • HSBC Turkey: November, 2014: 2.7 million card info was stolen Cyber Security Incidents-2014 10
  11. 11. BTPSec Ⓒ 2015 • Vulnerabilites of an information system are exposed. • Facilitates the analysis of genuine risks. • Helps sustain Business Continuity • Decreases the possibility of real attacks • Protects staff, customers and business partners • Helps to be compliant with – ISO27001 – PCI DSS • Increases know-how and facilitates analysis for real attacks. • Preserves company reputation What are the benefits of a Pen-test? 11
  12. 12. BTPSec Ⓒ 2015 • Determining the Scope – Web App pentest – End user and social engineering attacks – Ddos and performance tests – Network infrastructure tests – External and Internal network tests – Mobile App pentest – Virtualization system pentest – Database pentest How is Pentest performed? 12
  13. 13. BTPSec Ⓒ 2015 • Performing the Test – Information gathering – Analysis and plan – Discovering vulnerabilities – Exploitation – Gaining access – Privilege Escalation – Analysis and Reporting – Post-Fix Verification How is Pentest performed? 13 ★ Our Pentest reports cover each and only relevant (that is potentially causing a risk) risk information. ★ We never deliver auto-scan results to the customer, and we employ and encourage our staff in specific fields of pentesting. ★ We are a team composed of web pentesters, scada tester, ddos expert, network pentesters, social engineer and wireless pentester.
  14. 14. BTPSec Ⓒ 2015 • Following domains are tested against possibility for information leakage and system malfunction; • Mistakes/Shortcomings in application development • Configuration errors • Security awareness of staff • System protection level • Infrastructure security level • Insecure certificate usage • Patch level of Applications • Patch level of Operating Systems are tested and observed in order to identify the security level of the determined scope. Target systems in a pentest 14
  15. 15. BTPSec Ⓒ 2015 • External Network test profiles – Normal user with no insider information – Unauthorized user with insider information – Authorized user with insider information – Admin user with insider information • Internal network test profiles – Unauthorized user – Employee profile • Unhappy employee profile • Disgruntled employee profile – Manager profile Attacker profiles in a pentest 15
  16. 16. BTPSec Ⓒ 2015 • Critical terms for the industry and the company • Before and After corporate milestones. • Hiring/Firing critical personnel • The weak system • The strong system When to perform a pentest 16
  17. 17. BTPSec Ⓒ 2015 • At least once a year • After system change & new system deployments • After new system integrations. How often are Pentests performed? 17
  18. 18. BTPSec Ⓒ 2015 • All findings during the pentest are analyed, verified and reported. • A detailed explanation of findings, with solution recommendation and steps to resolve are submitted in the report. • Findings are categorized. Findings by category, findings by severity are statistically graphed in the reports. Reporting 18
  19. 19. BTPSec Ⓒ 2015 • A sample finding. Reporting 19
  20. 20. BTPSec Ⓒ 2015 Security re-evaluation of the company 20 • An executive summary report is delivered to the executives, which shows the general security status of the company. • A project closure meeting will be organized to discuss the report.
  21. 21. BTPSec Ⓒ 2015 • After a detailed explanation of findings and delivery of final report, the company is expected to close the gaps. • After the gap-closure, a time frame is determined by both parties for verification tests. • Findings in the report are reevaluated in the verification tests. Verification Tests 21
  22. 22. BTPSec Ⓒ 2015 BTPSEC OFFICES our office our office
  23. 23. BTPSec Ⓒ 2015 ANY QUESTIONS? You can find us at @btp_sec info@btpsec.com

×