Wholeof VictorianGovernmentGuidelineInformationSecurity

Penetrationtesting

Guideline

Keywords: / Informationsecurity penetrationtesting; SEC/STD/03;guideline;SEC/GUIDE/03
Identifier:
SEC/GUIDE/03 / Version no.:
1.0 / Status:
Final
Issue date:
N/A / Date of effect:
1 May 2010 / Next review date:
Inprogress
Owner:
Government Services DivisionDepartmentof TreasuryandFinanceVictorianGovernment / Issuing authority:
Government Services DivisionDepartmentof TreasuryandFinanceVictorianGovernment

© TheStateof Victoria2011

Copyrightinthis publicationisreserved to theCrown inright ofthe StateofVictoria.Otherthan forthepurposesofandsubject to the conditionsprescribedunder the CopyrightAct,nopartof itmayin anyformorbyany means (electronic,mechanical,microcopying, photocopying,recordingorotherwise)be reproduced,storedin a retrievalsystem,ortransmittedwithout prior writtenpermission.Inquiries should be addressed to:

Government Services DivisionDepartmentof TreasuryandFinanceGovernment ofVictoria Melbourne

Overview

InNovember2009theDepartmentofTreasuryand Finance(DTF) publishedthewhole ofVictorian Government(WoVG)informationsecuritystandardon penetration testing, SEC/STD/031.Thisstandarddescribestherequirement forannual penetrationtesting ofallexternallyfacing applications andinfrastructure,as well as business‐assessedsensitiveinternalsystems.Itrequires allinnerbudget departments and agencies to prepare a response to DTF:

  • by May2010 (now30June2010)outlining the initialwork plan forpenetrationtesting;and
  • annuallyontheresults of penetration testing (1 November).

Subsequent departmental penetration testing programsofworkshould be includedinthe overalldepartmental programofworkintheresponse to theInformationSecurityManagementFrameworkSEC/STD/012.

Audience

Informationsecurity is the responsibility ofallstaff.These guidelinesare therefore producedforthe benefitofinformationowners,andthe ITstaffinvolvedin compliancewith SEC/STD/03.

Context

This guidelinewill assistdepartmentsintheirconsideration ofcompliancewithSEC/STD/03 and should be readinconjunctionwiththatstandard.

Suggestedapproach

Phase1:planandconsult

Thesuccessofthe penetrationtestwill dependon a comprehensive planningandpreparationphase.

1.Definethe objectives of the proposed penetration test

Documentwhat the businessistryingto achievethroughthe test.Theobjectivewill playa large partindefining thescope ofthetest.

2.Consider thelegal and contractualobligations

Theseobligationscould potentiallylimit the timeandnatureofthetest.Legalobligations,contractualservicelevelagreements, availabilityrequirements in contracts,throughputservice levelagreementsand similarconditionswill impact the scopeof the test.

3.Ensurefindingsarecovered under strictnon‐disclosureagreements

Findingsof penetration testingmay containsensitivesecurityweaknessinformation. Ensurethattheproject in general andthe findings specificallyare covered bythestrictest non‐disclosureagreements.

4.Discusstherisks

Risksof conducting the penetrationtest need tobe discussedwiththestakeholders.This includes ITstaff,applicationowners,businessstakeholdersandexecutive management.The outcomesof the riskdiscussionmay haveanimpacton the scopeof the test.

1DepartmentofTreasuryandFinanceSEC/STD/03InformationSecurityPenetrationTesting,November2009,

2DepartmentofTreasuryandFinanceSEC/STD/01InformationSecurityManagementFramework,April2009,

5.Finalise the scope

Oncetheobjective,legaland contractualobligationsare completedand therisks discussedwithstakeholders,finalise the actualscopeof thepenetration test.Thescope shouldclearly define thetiming,extent and natureof thetest, includingtarget systems,whetherit needs tobea ‘black box’ora ‘whitebox’test etc.Thescopeshouldalsospecifythesuccesscriteria against which thedepartmentcan measureresults.

6.Notifyappropriate stakeholdersinvolved

Appropriatestakeholders need tobe identified. For example:internetservices providersmayneed tobe informedso that they don’t automaticallyblock sniffer packets;business executivesmayneedtobe informedif there isriskof systemperformancedegradation; HRmay need to be involvedif a socialengineering testis to be performed.

7.Developandapprovethetestplan

Developa comprehensive test plan. Once thisdetailed,step‐by‐stepplan isdeveloped,businessexecutives(theinformation owners)andotherrelevantstakeholders are requiredto approveit.

Phase2:reconnaissanceandinformationgathering

A penetration testerwill generallyusethesametechniques and processesused byan external hacker.Thefirstand most importantstepin penetrationtestingis gatheringbase informationon the targetsystem/network.

Thisiscalledpassive reconnaissance. Thisphaseconsists of:

1.gathering publiclyavailableinformation;

2.gatheringinformationfromothersources;and

3.identifyingtarget details.

Phase3:device/networkenumerationandvulnerabilityscanning

Theauthorised attackis carried out usingpublic, customerand professionaltools to identifythevulnerabilitiesthat couldbe exploitedby potentialattackers.

1.Scantarget networkandidentifydevices;

2.Identifydevice operatingsystems;

3.Scandevices and networksforvulnerabilities;

4.Identifyservices/openports;

5.Determinelandscapeof targetnetwork;

6.Identifyvulnerabilities;and

7.Review logs.

Phase4:analysisofrecommendations

Inthis criticalphase, the test team analysesthe informationandreports high‐riskvulnerabilities andrecommendedcontrols to thesponsor.The finalreport mustmap the findings(therisks)tothe department ifthe vulnerabilities had been exploitedand threats wererealised. Thefinal reportmust contain the objectivesandscope ofthepenetration test,findings and recommendations fromeach phaseand the relativepriorityofthese recommendations.

1.Assess weaknesses and impacts;

2.Identifycontrols/strategies for remediation;

3.Perform cost/benefit analysis;

4.Developremediationactionplan; and

5.Integrateactionplaninto the departmentalriskmanagementprocess.

Scopingconsiderations

A non‐exhaustivelistofcriteria toconsiderfortesting ofknownand unknownvulnerabilities isgivenin thetable below.Theactualtestingwill depend onthe purpose and scopeofthe test.Additionalvulnerabilities willarisefromtime to time, whilesomeexistingvulnerabilities will be maderedundantdue to dynamicallychangingtechnologies. Therefore,thislist acts as a guide only. Departments andagencies remainresponsiblefordeterminingthescopeandextentof theirpenetration testing.

Physicalaccesscontrols / Identifyaccess points intothe:
  • premises;
  • serverroom;and
  • network.Determinewhether:
  • adequateaccess controls areprovidedon doors;
  • alarm monitoring controlsare inplace;
  • opportunitiesfor‘tailgating’exist;
  • opportunitiesfor‘shouldersurfing’ exist;
  • adequateaccess controls to theserverroomexist;
  • serversecurity containers (racks) provideadequateaccess controls;
  • any logging,auditing and monitoringis beingconducted and how longthelogs aremaintained;
  • ‘dumpster‐diving’canrevealany information;
  • classification‐basedphysicalcontainersandsecureareas exist3; and
  • writtensensitiveinformationsuchaspasswordsorconfigurationdetails etc.arelyingaroundon desksordesktops.
Determinewho has access to controlmechanisms to the premises,serverrooms,racksetc.
Socialengineering / Identifywhether:
  • opportunitiesfor‘tailgating’exist;
  • opportunitiesfor‘shouldersurfing’ exist;
  • confidential/privilegedinformationisavailablethrough telephoneenquiries;
  • confidential/privilegedinformationisavailablefromstaff; and
  • policiesexistforconfidentiality. Identifystaff awarenessofsecurity requirements.
Check forsensitiveconversationsin publicareas e.g.canteens, coffee shops,breakoutareas.
Wireless devices / Lookforrogue wireless devicesonthe network.Identify:
  • wireless endpointdevices on network/accessiblein the area;and
  • the wireless Access Points accessiblein the area.Determine:
  • the encryption mechanisms used;
  • the Authenticationmechanismsused;
  • whether authorisationmechanisms (passwordlength/complexity) areadequate;
  • the modeland firmwareversions ofwireless devices to see ifvulnerabilitiesexist;
  • whether wireless access points/devicesarephysicallyaccessible;
  • the antennatypeusedon Access Points and their orientation;
  • whetherparametersonwirelessdevicesareconfigured correctly; and
  • the services/portsopen on wireless devices.

3RefertotheAustralianCommonwealthGovernment’sProtectiveSecurityManual(PSM)producedbytheCommonwealthGovernment’s

AttorneyGeneral’sDepartment:

Operating systems / Determine:
  • the versionandservicepacklevelsofidentifieddevices;
  • what portsare open on servers and workstations;
  • what privilegedaccountsexistonserversandworkstations;
  • what privilegedgroupsexist onserversand workstations;and
  • what localand network user accounts exist.Determinewhether:
  • antiviruscontrolsareinplace and up to date;
  • firewallcontrolsareinuse on localsystems;
  • security auditingis being conducted onlocalsystemsandservers;
  • the authorisationmechanismsinplace(passwordlength/complexity) areadequate;
  • the authenticationmechanismsin place are adequate;
  • rogue services arerunning on servers;and
  • unauthorised applications are running onservers /workstations.Check:
  • foruseraccounts not accessedinmore than30 daysand the reasons;and
  • detailsof privileged users—howmany,whataccess, need, etc.

Networkinfrastructure / Determine:
  • what devicesarediscoverableonthe network;
  • what networkinfrastructureisphysicallyaccessible;
  • the modeland firmwareversions of network devices to see ifvulnerabilitiesexist;
  • what portsare open on networkdevices;
  • what services areavailable;
  • what authorisationmechanisms(passwordlength/complexity)are in place;
  • what authenticationmechanisms areinplace; and
  • what localuseraccountsare ondevices.Determinewhether:
  • rule‐setsonapplicable devices areconfiguredappropriately;
  • devicesare configuredappropriatelywithminimum access requirements;
  • auditingisbeing conducted onnetworkdevicesforaccess and changes; and
  • physicalconnection to thenetworkisaccessible.

Securitydevices / Testauthenticationand authorisationservices.Determine:
  • what securitydevicesare discoverableonthenetwork;
  • what securitydevicesare physicallyaccessible;
  • what accessis possibleonsecurity devices;and
  • the modeland firmwareversions ofsecuritydevices to see ifvulnerabilitiesexist.
Determinewhether:
  • security incidentsand concernsarelogged,monitoredand reported;
  • any controlsexist to deter orprevent unauthorisedaccess;
  • antiviruscontrolsareinplace and whetherthevirus signaturesareuptodate; and
  • networkfilteringdevicesexist.
Check foradequacyof rulesets,access control lists,etc.
Webapplications / Determinewhether:
  • webservicesarehostedinternallyorexternallybythirdparty;
  • identifiedwebsites aresusceptible to knownvulnerabilities;
  • confidentialinformationisaccessibleviawebsites;and
  • appropriatesecure communicationchannelsexistbetween clientandwebserver.
Determine:
  • what applicationsare hostedon corporateservers;
  • the requirements for useraccess to websites,including;othe authorisationmechanismsinplace; and othe authenticationmechanismsinplace;
  • patchlevelson webapplications.

Applications / Determine:
  • what applicationsareonthe networkand theirpurpose;
  • the versionandreleasenumberofapplications;
  • the requirements for useraccess to applications,including;
  • the authorisationmechanismsinplace; and
  • the authenticationmechanismsinplace;
  • what informationisaccessiblefrom the applications.Determinewhether:
  • any knownvulnerabilities existwithintheidentifiedapplications;
  • thecontrols around the applications are appropriatefortheclassificationlevelof the informationstoredwithin them;
  • databasesare associated to applications;and
  • other applicationsshareinformationwith theapplication beingassessed.

Incident detectionand response / Determinewhether:
  • incidentshave beendetectedand what actionsweretaken;
  • a policyand procedureexisttorespond toincidents;
  • staffareaware ofpolicy and responsibilitiesinresponding toincidents;and
  • incidentsareloggedand audited.
Determinethe timeframefor incident detection to incident response.
Informationsecurity policy / Determinewhether:
  • an informationsecuritypolicyexists;
  • the informationsecurity policyisenforced; and
  • controls in placereflectinformationsecuritypolicy.Determine:
  • adherence to informationsecurity policy;and
  • userawareness of the informationsecuritypolicy

Databases / Determine:
  • what databasesexistonthenetwork
  • the requirements foraccesstodatabases,including
  • the authorisationmechanismsinplace
  • the authenticationmechanismsin place
  • what privilegedaccountsexiston databases
  • the assignmentofresponsibilitiesofeachprivilegedaccountDeterminewhethertransactionloggingand auditingis being performed.

Reportingtemplate

SEC/TEMP/03is to be used for the annualreportingof penetrationtest results. Thetemplateshould bedownloaded, completed,savedandreturned to :

Glossaryoftermsandabbreviations

Term / Meaning
Internalpenetrationtest / Penetrationtestingthesystems and servicesthat areaccessible andexploitable frominside an agencylevelnetwork,andidentifying whatinformationandsystems canbe viewed, and what vulnerabilities exist.
External penetrationtest / Penetrationtestingtheinformation,systems and vulnerabilities that areaccessibleandexploitable fromoutsidethe physicalboundsof the network.For example, determiningwhatcan be identifiedandaccessedfrom a publicnetwork.
Vulnerability / A flaworweakness that can beexploitedto gainanadvantage.

Versionhistory

Version / Date / GSDTRIMref / Details
1.0 / 13 May2010 / D10/37178 / Firstpromulgated