• BDO VAPT Services
Article:

BDO VAPT Services

15 May 2017

David Cohen, BDO Forensics and Cyber Lab |
Warren Carr , IT Partner (Associate) |

VULNERABILITY AND PENETRATION TESTING SERVICES

While BDO Namibia Forensics and Cyber Lab Services are guided by best practice standards such as NIST/SANS/OWASP, our Vulnerability and Penetration testing approach has been tested, refined and customized over time. The methodology provides a high-level outline of our proven Penetration Testing Process. This methodology can be augmented by Advanced Threat Modules (ATM) that include, but are not limited to, our stealth testing module, managed security service provider testing module, IDS / IPS effectiveness and tuning module, pseudo-malware module, distributed metastasis module, Social Engineering module, and many more.

BDO Namibia Forensics and Cyber Lab Services penetration testing services mimic an attacker seeking to access sensitive assets by exploiting security weaknesses existing across multiple systems. This service identifies vulnerabilities and reveals how networks designed to support normal business operations can provide attackers with pathways to backend systems and data. During the engagement, we begin by assessing your network or application infrastructure's "weakest links" and other possible vectors of attack. We then determine the ramifications of each compromise by attempting to escalate privileges on the entry points and pivoting to determine whether any other systems can be subsequently targeted and breached.


Step 1: Logistics and Controls Logistics and controls is an important yet often overlooked component of delivering quality penetration tests. The purpose of this step is to reduce the rate of false positives and false negatives by assuring proper adjustments are made to all testing modules prior to launch. This module is perpetual in that it continues to run during the entire course of testing. Its purpose is to identify any issues that may exist before testing, or to identify network or system state changes during testing.


Step 2: Advanced Reconnaissance BDO Namibia Forensics and Cyber Lab Services begins all penetration tests with a combination of Social and Technical reconnaissance. Social reconnaissance, not to be confused with Social Engineering, is focused on extracting information from personal websites, social networking sites like LinkedIn and Facebook, technical forums, internet relay chat rooms, company job opportunities, documents that have been leaked or published, etc. The goal of social reconnaissance is to identify information that might assist in compromising the target. Historically this information has included source code, confidential files, passwords, troubleshooting questions about IT issues, etc.

Technical reconnaissance focuses on the discovery of hosts, service fingerprinting, configuration analysis, web server directory enumeration, the identification of administrative portals, the identification of customer portals, the identification of hidden endpoints such as cable modems or DSL lines, the use of third party services provided by hosting providers, managed security service providers, and much more. Technical reconnaissance may or may not use port scanners, web application scanners, vulnerability scanners, etc. depending on the threat and intensity levels of the service being provided.


Step 3: Analysis Once initial social and technical reconnaissance tasks are complete, BDO Namibia Forensics and Cyber Lab Services enters an analysis stage. During this stage all information is correlated and an attack matrix is created. The matrix identifies all potential attack vectors and organizes them by probability of successful penetration. Every identified listening port or web application component is considered to be a potential attack vector.


Step 4: Real Time Dynamic Testing Once sufficient intelligence has been gathered, BDO Namibia Forensics and Cyber Lab Services begins penetration efforts. While common tools may be used to penetrate systems with low-hanging fruit, a manually intensive research driven process is used to penetrate more complex targets. Regardless of the success attained during this step, we continue to manually review and research each available port for known and unknown vulnerabilities including the use of customized scripts and exploits. The technologies used for the steps 3 – 4 include port scanning; vulnerability scanning; proprietary tools and scripts and passive testing. The findings are reviewed and an attack methodology is determined. Potentially disruptive attacks are discussed with client and scheduled as/if appropriate. Post exploitation, privilege escalation is attempted as well as pivoting to other resources and as an option, persistent backdoor access is created as proof of concept.


Step 5: Reporting To conclude the project, a collation of all the findings are submitted for review.
 

When conducting Vulnerability and Penetration tests, the objective of the BDO Namibia Cyber and Forensic Lab is to: identify and prioritize known security vulnerabilities; test your orgnisation's ability to detect and respond to attacks; identify and address vulnerable attack vectors; assess the operational impact of successful attacks; review regulatory compliance; review effectiveness of current security spending and finally to test and advise on a layered security approach. The components of our testing service include:

Internal white-box testing of the entire infrastructure including:

  • All servers (physical and virtual)
  • All client machines (a random selection, and all client machines to be considered in scope
  • All networking devices including routers, switches, IDP/IPS, VOIP servers/VLANs etc.
  • Password cracking of current server hashes as POC and test of password policies
  • Deep packet inspection to find anomalous packets/PII/passwords transmitted in plain text

External white-box test of up to 20 IP addresses as provided including:

  • All internet facing ports
  • All support infrastructure including databases (MSSQL/MYSQL) and hosting software (Apache/IIS)
  • Denial of Service attacks at a mutually agreed upon time as POC

Deep Packet Inspection
The test team connects a machine to the network which captures all packets flowing through the switch for a period of 24 to 48 hours. We then review those packets in our lab looking for unencrypted sensitive information including login credentials, plain text emails, sensitive data being sent unencrypted across the network and onto the internet, as well as anomalies (like backdoors) on the network. This will allow the client to prove with data, which intended systems are transmitting packets using encryption and that best practices are being practically implemented.

Cryptography
Using supplied administrative credentials, the test team pulls password hashes from the server and attempts to crack those passwords in our lab. This testing is conducted in 2 phases: 1. Dictionary attack to locate poor passwords and 2. Brute force of all passwords 9 characters or less. This allows administrators to gauge the effectiveness of password policies and whether users are following best practice guidelines when choosing passwords.

Social Engineering
Social engineering is a technique that relies on the manipulation of people to gain access to resources that should be off limits to the attacker. These attacks rely on helpful human nature to succeed, and are exceptionally popular with knowledgeable attackers.

External: The test team will endeavour to mislead users into clicking email links, downloading files or by other means execute software which allows us to gain access to those client machines. Note that we have the ability to use either active (live) payloads or passive (POC) payloads as per client preferences. Phishing attacks are conducted at 5 levels of increasing legitimacy to allow accurate assessment of current staff training.

Internal: The test team endeavours to gain physical access to the infrastructure, bypassing access control and security, and will attempt to place a device on the network, plug-in and execute software on unlocked workstations and gain access to sensitive information.

 

CONTINUOUS CYBER SECURITY MONITORING SERVICE

As a cost effective information security service, BDO Namibia Cyber Lab has introduced a new service which affords your organisation continuous information security monitoring for a period of two years. Three separate packages have been developed, each with different services that best suit your risk appetite. A description of each service follows. Speak to us about pricing on these packages, should you prefer to secure your organisation more vigilantly over a contractual period of two years instead of a once-off vulnerability/penetration test.

New Risk Notification
New risks and vulnerabilities are continually being discovered by the security community at large. Our research team not only keeps abreast of these discoveries and notifies our clients immediately as these new risks are identified but also set up labs to test those exploits in an effort to better understand the scope and limitations of those exploits. All this is done in order to be able to explain, in detail, to our clients how the new risk affects them and how to manage that risk until such time as software developers release updates to address the problem.

Ongoing external vulnerability scans
Once every two weeks the external (internet) facing network is scanned by multiple industry leading vulnerability scanners. The external facing network is the most likely target for hackers since it is relatively easy to remain anonymous across the internet while attacking companies. There is very limited risk to the attacker in these situations if the attacker is knowledge and because of this, it is the most common attack vector.

Internal vulnerability scan
BDO Namibia scans the internal network every three months to identify risks from inside the Local Area Network (LAN). We notify the client of what information is available on the network with different levels of authentication. We also check the infrastructure for viruses, malware, backdoors, misconfigured devices, and devices that are not currently with software and firmware updates. BDO Namibia scans the client infrastructure with multiple industry leading vulnerability scanners. These scans assist in preventing attacks by identifying vulnerabilities and configuration issues that hackers could use to penetrate the infrastructure. A few of the many possible issues that are detected include:

  • Viruses and Malware
  • Botnets
  • Open ports
  • Known vulnerabilities
  • Web services serving malicious content
  • Backdoors
  • Unknown processes
  • Missing patches and updates
  • Misconfigurations

These scanners are continually updated to identify the newest risks and vulnerabilities as they are discovered by researchers. By scheduling these scans on a mutually agreed upon time and date we avoid operational impact and allow technical staff to identify scans originating from BDO Namibia as opposed to other malicious vectors. Our security experts review every report and will contact the responsible person directly if a serious issue is detected.

External vulnerability scan
A full external penetration test is conducted every six months. A red team tries to exploit every part of the internet facing network. We not only try to breech the firewall, but also attempt to gain access to the internal network. External testing includes Social Engineering tests conducted during external penetration tests, as well as at random times during the agreement period, keeping staff "on their toes". Testing may include all supporting infrastructure (unless indicated otherwise by the client) including but not limited to:

  • Web research
  • Databases
  • Access Control
  • VPN Access
  • Firewalls
  • Routers
  • Connectivity
  • Mobile devices
  • Applications
  • Client computers

Denial of service testing will be conducted (unless specified otherwise by the client) after hours to limit the collateral impact of these tests. Please note that we require a technical staff member on site to verify the tests and resolve any unexpected occurrences (usually restarting a router or firewall). A penetration test takes testing a step further than a vulnerability scan. Instead of simply identifying risks for the client to resolve, the pentest team actively tries to exploit those risks and vulnerabilities, simulating what a knowledgeable black hat (or bad guy) hacker could potentially access. Every single open port of every single IP address is actively tested with the goal of bypassing security systems and gaining access to unauthorized systems and infrastructure. This is a time intensive process, heavily dependent on expertise in information security and many different fields within the information technology field.

Goals

  • Identify and prioritize known security vulnerabilities
  • Test ability to detect and respond to attacks
  • Identify and address vulnerable attack vectors
  • Assess operational impact of successful attacks
  • Review regulatory compliance
  • Review effectiveness of current security spending
  • Test and advise on layered security approach

Benefits:

  • Superior risk management
  • Increased business continuity
  • Reveal security flaws
  • Protect clients, partners, third parties and staff
  • Minimize and limit client side attacks
  • Evaluate security investment
  • Protect public relationships and brand continuity

Internal penetration testing
Every six months, BDO Namibia conducts a full internal penetration test. We attempt to gain access to resources:

  • without any access (simulating a wireless or plug-in breach)
  • with user only access (what can a knowledge attacker, posing as a new staff member access on the infrastructure)
  • and as an administrator (are systems configured optimally)

Every branch and satellite office needs to be tested internally (from within each local network) and the report produced from these tests provides an exceptionally detailed view of the infrastructure. Internal penetration testing includes social engineering exercises as well as deep packet inspection and password cracking. Testing may include all supporting infrastructure that use IP addresses including but not limited to:

  • Research
  • Servers / Databases
  • Access Control
  • MD5 Hashes
  • Firewalls
  • UPS and Inverter devices
  • Connectivity devices
  • Mobile devices
  • Applications (limited internal app testing
  • Deep packet inspection
  • Routers / Switches
  • Printers
  • Client computers
  • Social Engineering
  • Denial of service

Training
It is generally understood by the security community that staff members are the weakest link of any security posture. We can spend a wealth of time and money on security only to have a user bypass it all by giving away crucial information. At BDO Namibia we believe that training is of critical importance for all staff members that have access to computers, and with that in mind we offer training for general staff members. Our immensely popular "Meet the hacker" presentation is a one-hour training session that aims to teach all staff members the basics of keeping information safe, both within the company, and in their personal capacity. Presented from the point of view of the "hacker", we illustrate with examples, different exploits used in order to gain unauthorized access. While heavily focused on Social engineering, it also covers many of the other vulnerabilities users present. Included in this agreement is a training session per year for every staff member, including satellite offices with 10 or more staff members within South Africa.

Forensic audit
Even the most diligent, security conscious companies have been breached due to zero day attacks. These are vulnerabilities that have been uncovered by black hat hackers but have not been discovered by the information security community. Should a breach occur, despite our best efforts, BDO Namibia will provide a well-trained, respected authority in the security community to conduct a forensic audit at no additional cost. The auditor will attempt to:

  • Identify attackers.
  • Identify the means and the time span of the breach.
  • Determine the impact to the organization.
  • Collect evidence in such a way as to be admissible in legal proceedings should the organization wish to prosecute.
  • Advise on corrective action regarding controls that may have failed.

Ongoing consultation services
BDO Namibia offers limited additional consultation services including:
24/7 Telephonic support related to information security
24/7 Email support related to information security
Review or creation of information security policies:

  • End user security policy
  • Acceptable use policy
  • Clean desk policy
  • Email policy
  • Ethics policy
  • Password construction guidelines
  • Password protection policy
  • Software installation polic
  • Technical security policy
  • Security response plan
  • Remote access policy
  • Wireless communication policy - BYOD
  • Server security policy
  • Router and Switch policy
  • Firewall policy
  • Information logging standards
  • Change control policy
  • Disabling accounts for users who have left

Unfortunately, additional services like data loss prevention and security framework implementation cannot be included by default and will need to be managed separately.