Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.

Penetration Testing

Pen test strategies include: -

Targeted testing
Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.

External testing
This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.

Internal testing
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization’s security monitoring and incident identification as well as its response procedures.

Penetration Testing

Penetration Testing Tools

1)   Nmap - Worlds Best Port Scanner

2)   Nessus - Vulnerability Scanner

3)   Metasploit - Exploit framework

4)   Pass-The-Hash - Who needs passwords?

5)   Hydra - Brute force password guessing

6)   Cain & Abel - The ultimate MITM utility

7)   Wireshark – network protocol analyzer

8)   Snort – traffic analysis and packet logging on IP networks

9)   Netcat – reads and writes data across TCP or UDP network connections

10)Nikto – web server scanner which performs comprehensive tests against web servers

Problems:-
a) Too many credential
b) Which one for which application
c) Multiple logons
d) Provisioning new accounts
e) Password management
f) Auditing user activity
g) De-provisioning users
h) Managing non-employees access

Governance describes the overall management approach through which senior executives direct and control the entire organization, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk management is the set of processes through which management identifies, analyses and where necessary responds appropriately to risks that might adversely affect realization of the organization’s business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party. Whereas organizations routinely manage a wide range of risks (e.g. technological risks, commercial/financial risks, information security risks etc.), external legal and regulatory compliance risks are arguably the key issue in GRC.

Compliance means conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.

Organisations should develop a proactive policy and strategy that embraces new ideas and methods to create a secure mobile workplace. “Secure mobility” is typically defined as the ability to provide employees and customers with secure “anytime, anywhere, any device” access to the corporate network.

One typical security problem that remote users may encounter is the transfer of viruses or other malware via memory cards or sync connections from infected mobile devices to laptops. Then, when infected laptops plug into a corporate network, there is the potential of further infection of internal corporate resources, possibly causing substantial damage to valuable and sensitive information. However, this is not the only security problem affecting mobile devices. The loss of data privacy that can result from a misplaced, stolen, or improperly used phone can also severely compromise corporate information.

Educate employees to use only devices that are provided by company. There are technologies to prevent unauthorised access to the network. For example, Network Admission Control (NAC) enforces policy for remote devices connecting to the corporate network, and Wireless detection devices Install wireless detection technology on your wireless networks to monitor unauthorised wireless users and the deployment of rogue access points.

There are technologies to prevent compromise of the endpoint: Client Security Software’s, Host-based Intrusion Detection/Prevention Software (IDS/IPS), and Anti-Spywares. There are technologies to prevent information loss or data loss or exposure to information: Data Encryption, and Information/Data Leak Prevention (ILP / DLP) software’s. Monitor compliance with your organisation’s mobile policy

Benefits of Mobile workers:-
1. Improved employee productivity.
2. Eliminating traditional work boundaries and creating a more flexible workspace.
3. Improved client interactions.

In particular, smart phones are becoming increasingly popular with knowledge workers. Number of companies providing devices to mobile workers and executives for use both inside and outside the offices. Companies are supporting connectivity to devices the individuals buy for their own uses.

Initially companies use mobile devices to use is e-mail access, increasing number of organizations are taking next step, extending access to data in core corporate applications such as ERP, CRM and Banking.

Steps to Secure Mobile Devices:-
1. Educate users on the importance of secure mobile device and ways to avoid the loss of device. Keep device open to access anyone or un attended.
2. Ensure mobile devices are set password.
3. Install mobile management system to enforce data security and policies.
4. Control over data download and access in different network.
5. Encrypt corporate data depends on its sensitivity.
6. Virus protection in mobile devices.
7. Enable lockdown, if the device lost and automatically wipe the data stored in its memory.
8. Log the sensitive information access.
9. Proper register of devices allocated to employees and access.
10. Periodic audit of mobile devices access.

The documents acts as a “must read” source of information for everyone using in any way systems and resources defined as potential targets. A good and well developed security policy should address some of these following elements:

-How sensitive information must be handled.
-How to properly maintain your ID (s) and password(s), as well as any other accounting data.
-How to respond to a potential security incident, intrusion attempt, etc.
-How to use workstations and Internet connectivity in a secure manner.
-How to properly use the corporate e-mail system.

Basically, the main reason behind the creation of a security policy is to set a company’s information security foundations, to explain to staff how they are responsible for the protection of the information resources, and highlight the importance of having secured communications while doing business online.

Some of the Information Security Policy categories:-

• Physical / Desktop Security / Laptop Security
• Internet Access
• Virus Protection
• Data Centre Access
• Software Installation
• Removable Media
• Encryption
• Backups
• Maintenance
• Incident Handling
• Web Browsing
• E-mail Use
• Instant Messaging Applications
• Downloading
• Intrusion Detection
• Acceptable Use