Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Experience Sharing on School Pentest Project (Updated)


Published on

By Mr. Eric Fan & Mr. Chris Chan

Published in: Education
  • Login to see the comments

  • Be the first to like this

Experience Sharing on School Pentest Project (Updated)

  1. 1. Experience Sharing on School Pentest Project Eric Fan & Chris Chan UDomain
  2. 2. Agenda • Our objective & how we did • Our findings & suggestions • Demonstration • About UDomain • Q & A
  3. 3. Our Objective As an independent consultant in providing a series of vulnerabilities scanning, penetration tests and reviews for ten K12 school’s website security. Identifying potential areas for further improvement to protect school’s sensitive data and good will.
  4. 4. What we do? Automated Scan Manuel Review Debriefing Meeting Verify the can result, eliminate false- positives and then execute manual business logic test. Application walkthrough and threat analysis will also be conducted during this stage. Report and analysis for the automated scan and manual scanning result with recommendations. Step 3Step 2Step 1 Configure and execute automated scan, followed by test plan development. Risk assessment will take place during the test plan development.
  5. 5. Seven phrases to perform testing Penetration Test Methodologies Information Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting Rescan Support Reference: OWASP TOP 10 The Penetration Testing Execution Standard Common Vulnerability Scoring System (CVSS)
  6. 6. Main Testing Tools *More testing tools may be used depending on the scope of work OWASP-ZAP Nikto Dirsearch
  7. 7. Tester Qualification Certified Ethical Hacker Offensive Security Certified Expert GIAC Web Application Penetration Tester Certified Information Systems Security Professional Offensive Security Certified Professional
  8. 8. Our Findings 20,000+PERSONAL DATA RECORD Including public, intranet, internal applications of ten schools 29WEBSITES By using more than one scanning tools and manual penetration test 99HOURS OF SCANNING 170+CRITICAL VULNERABILITIES Including email, name, HKID etc
  9. 9. Critical 10% High 16% Medium 34% Low 40% 1,700+ Vulnerabilities Vulnerability
  10. 10. Overall Findings 0 100 200 300 400 500 600 700 A B C D E F G H J K No.ofVulnerability School Low Medium High Critical
  11. 11. Critical Vulnerabilities 16 Password in plaintext 65 XSS 105 SQL Injection 13 sslv2 &v3
  12. 12. Top Security Impact Vulnerabilities We found plain text database login credential in the back up file that may lead to unauthorize login. Back Up File Impact Allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SQL Injection These outdated software or operation systems cannot no longer update to the latest patch that is vulnerable to exploit Unsupported Software / OS Version Allows anyone who can read the file access to the password- protected resource. Password In Plaintext
  13. 13. SQL Injection 11* Vendor Solutions 12 School’s Own Applications 7 Unsupported Operation Systems * Same SQL injection vulnerability appears in all 10 school from one vendor solution (both on cloud and on premise)
  14. 14. SSL Cert Website with SSL Cert 21% Website without SSL Cert 79%
  15. 15. Our Suggestions Reliable Vendor Solutions Software and application vendors should offer OS or patch update for use to fix their software and application vulnerabilities. Regular Scanning Yearly or half-year vulnerability scanning and penetration test is recommended Regular Patch Operation Systems Regular review and update the hardware and application operation systems to the latest patch, in order to avoid vulnerable malware and exploits. More info: Information Security in Schools - Recommended Practice (Jan 2019)
  16. 16. Demonstrations
  17. 17. About UDomain
  18. 18. UDomain Group UDomain Founded in 1998 Web Host Founded in 1998 New Sky Founded in 1997
  19. 19. Our Services Cybersecurity Internet Service Hosting Domain DDoS protection Penetration test Firewall SSL-Certificate CDN VPN Live-streaming Email marketing Web, email and app Cloud server Dedicated server Colocation Hosting 40,000 webs .hk registrar Domain advisor Brand alert 1000+ domain types DNS Panel
  20. 20. Our Qualification Registrar of .hk Domain One of the first HKIRC-recognized Registrars HK Government Public Cloud Services Provider First HK web hosting company recognized by the Office of the Government Chief Information Officer (OGCIO) OFCA Services-based Operator Licensee Permitted to provide Authorized International Value- Added Network Services (IVANS)
  21. 21. Awards
  22. 22. Events Corporate Cyber Security Conference HK Cyber Security Drill
  23. 23. Summary People ProcessTechnology • Multiple machine scanning tools • Over 20 years Domain and Web Knowledge • Project Experience in Different Sectors • Training and Certification • OWASP TOP 10 • The Penetration Testing Execution Standard • AgilePM
  24. 24. Your Managed Security Service Partner Penetration Test Firewall & DDoS Protection 7x24 Technical Support Dedicated Security Specialists High Availability Ring Network
  25. 25. Thank you!
  26. 26. Appendix
  27. 27. Proposed Assessment Plan
  28. 28. Proposed Project Plan Week 1 Automated Scan • We will configure and execute automated scan, followed by test plan development. Risk assessment will take place during the test plan development. Week 2-3 Manual Review • We will verify the can result, eliminate false-positives and then execute manual business logic test. Application walkthrough and threat analysis will also be conducted during this stage. • Search for potential sensitive information related to you through various search engines
  29. 29. Machine Scanning Manual Penetration Test Review and Recommendat ion Hybrid Testing (Machine & Manual)
  30. 30. Security Assessment Lifecycle Automated Scan
  31. 31. Automated Scan • Tools scanning for potential security issue • Combine multiple tools to gather more information • Include fuzzing in scanning
  32. 32. Security Assessment Lifecycle Automated Scan Manual Review
  33. 33. Manual Review (Penetration Test) • Enrich the information in machine scanning • Verify the findings in machine scanning • Look through each page to find security issue • Look for logical flaws
  34. 34. Security Assessment Lifecycle Automated Scan Manual Review Report and Recommendations
  35. 35. Report & Recommendations Executive Summary Testing Methodologies Proof of Concept Impact and Severity Findings Details Recommendations Debriefing meeting
  36. 36. Sample Report
  37. 37. Retest Compiling a Retest checklist Scanning for previously found vulnerabilities after fixing Producing final retest report
  38. 38. Case References
  39. 39. Case Reference I • An NGO partnering with the Hong Kong Government, provides quality social welfare service through their 3,000 operating units in Hong Kong. • Engagement in Penetration Test:  a Website before launch in Hong Kong  Re-tested several times
  40. 40. Case Reference II • A 20-year-old Secondary School in Hong Kong • Engagement in Penetration Test:  an Internal CMS system with email function  a public-facing website