Penetration Testing mailing list archives
RE: Bank pen test
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Fri, 3 Mar 2006 20:46:36 -0000
Hi Noe,
-----Original Message----- From: Noe Espinoza Mancillas [mailto:nespinoza () grupowissen com] hello all! now i'm still wait to start an internal penetration test in a bank .. they have a lot of servers.. HP Ux, Win, Sun, Linux , etc. and now they are using ISS (scanner) to find vulnerabilitys and then they make a remedation with some scripts and other comercial tools... so.. now they need help becouse the ISS scanner every time that are running found the same vulnerabilitys after patchs the servers. I told them that is really importan to use some other diferents scanners and make an penetration test to review if the vulnerabilities are really risk for the bussines!!.. and they don`t accept it ..
I agree with you. Some tools will still report that the vulnerabilities exist even after applying the patches (if I remember correctly, this is common with Sun Solaris, since several patches do not update version numbers and some vulnerability scanner tests rely on these). Using several tools might give you an idea if the patches were not correctly applied or if some of the tools are not detecting the changes. Ideally, you should know more details about the vulnerability that is still being reported and how exactly the tool is testing for it (not a simple task with closed source commercial tools, but putting a protocol analyzer in the middle might give you an idea of what is going on). Also, if there is a manual and safe way to determine if the vulnerability still exists, you might want to go for it (e.g. buffer overflows are usually not safe, because if the vulnerability still exists you might crash the machine, and if it is a critical server...).
buy they need it.. need to make a remediation of all the vulnerabilities in all the 4000 servers! so.. they ask for a pent test for only 20 servers.. and i don`t know how can i select the number of servers that i need to test to be sure that all the rest of the servers have the same vulnerabilitis!!.. ?
There are most probably differences between server configurations that result in different degrees of security. Even if they require you to only scan 20 of them you should make this clear (even if they claim that configuration is identical, they might not have a patch log that actually confirms that all servers have the same level of updates). Now, just claiming that they must review all of their servers is not going to help them or you. This is the kind of situation where you need soft skills to make your way. Banks (at least the ones I know of) are much closed institutions with strict procedures for some things (that doesn't necessarily mean that security is included). It might mean however that things have to be done their way and claiming that "their way" doesn't work without proof usually results in them ignoring you completely. Try this: select a representative sample of the most critical servers (i.e. if they have 2 email server, one active and one backup, don't waste your time for now and only scan one of them). Select your servers based on their importance to the business. Hence, you will need to do some research on the business; do not expect bank personnel to be particularly open to this kind of information requests. Typical examples: * Databases. There are usually hundreds of databases within banks, you might want to select a few those holding client information or information necessary for critical services (i.e. real time) * Front-end servers for important applications (e.g. the ones to which e-banking clients connect to) * Back-end application servers. You might want to select some of the application servers that host client applications and serve the front end servers. * Internal/Intranet servers. Banks usually have also several critical applications that do not interact directly with the client but are necessary. These might include intra-bank information systems and other systems that connect to other types of financial institutions to query/send information. After you select your servers and perform your penetration test, depending on the results, they might simply recognize that they need to go further with the testing. Also, depending on the location, you might want to remind them of any regulations that require security assessments, but be careful with the way you say it (i.e. simply stating that it makes sense to perform this and that assessment to comply with regulation X might get you somewhere, whereas accusing them of ignoring regulation and not hiring you will simply result in them kicking you out and hiring someone else, if they please). This is essential for dealing with this type of institutions; good technical skills are not the only thing, you need to establish and effective communication channel with them; banks are inherently hard to communicate with, specially regarding information security issues.
and what kind of tools can i use to make that!? i never been in that kind of penetration test :(.. i think to use Core Ipact! any sugestions?
Tools such as Core Impact might be helpful, definitely. However, you need to take into account the characteristics of the environment you are trying to assess. Banks usually have several dozens of home-made applications (both for intra-bank communications and for e-banking. Even if they use some kind of application frameworks, they still code a lot themselves to produce their applications. Therefore, it really makes sense to identify the most common programming language (specially for web based services) and try to manually perform security assessments on these applications (most automated tools will have a limit to do this kind of testing). So, look for things like: * SQL injections * Inappropriate session management * Insecure communications (you might find confidential data travelling unencrypted through the internal network; the fact that it is the internal network doesn't make the data more secure) * Information leaks through source code Note that web services published on the Internet might be more polished than internal services (for obvious reasons). Some final words: No matter what the people in the bank tell you about some server/application not being important. Always be extremely careful with what you do. Some applications within banks are very sensitive to time response (i.e. you might actually cause a financial impact if you crash a critical server). Relationships between servers and applications are not obvious sometimes, so make sure you get all the information you can about the things you will be testing before starting. Make sure you have the needed legal stuff in your contract, be careful to not get out of the scope and make sure their technical contact will be available at any time while the tests are being conducted. I hope this helps :-) Regards, Omar A. Herrera ------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- Request for discussion on defending against specific Nmap TCP syn and version scans. Smith, Chris (Mar 01)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Martin Mačok (Mar 02)
- Bank pen test Noe Espinoza Mancillas (Mar 02)
- RE: Bank pen test Andy Meyers (Mar 03)
- RE: Bank pen test mystic33 (Mar 03)
- Re: Bank pen test Noe Espinoza Mancillas (Mar 03)
- Re: Bank pen test Rick Zhong (Mar 03)
- RE: Bank pen test Omar A. Herrera (Mar 04)
- <Possible follow-ups>
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. revnic (Mar 02)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. krantikari26 (Mar 02)