Open Source

Untuk seluruh software yang bersifat Open Source tidak akan tenggelam oleh waktu dikarenakan banyak yang mendukung program tersebut dan software tersebut tidak kalah bersaing dengan software berbayar lainnya.

Certified

Mengambil sertifikasi semata-mata bukan untuk menjadi tenar atau sombong, tapi untuk mengetahui apakah anda mampu mengemban tanggung jawab secara moral terhadap apa yang anda telah pelajari dan bagaimana memberikan ilmu tersebut kepada orang lain tanpa pamrih.

Operating System Pentest

Sistem operasi Bactrack, Kali Linux, dll memang sangat memanjakan para Pentester dalam melaksanakan tugasnya sesuai dengan prosedur yang berlaku. Di OS tersebut disediakan beberapa tools menarik seperti untuk memperoleh information gathering, vulnerability assesment, exploit, dll.

Sherlock Holmes

Film detektif yang satu ini pasti disukai oleh beberapa rekan IT dikarenakan proses jalan ceritanya ketika memecahkan sebuah kasus tidak monoton dan memerlukan logika berpikir yang diluar kebiasaan. Daya hayal harus tinggi ketika ingin menonton film ini.

Forensic

Kegiatan forensic bidang IT sangat membutuhkan tingkat pemahaman yang tinggi akan suatu kasus yang ditangani. Tim yang menangani forensic harus bisa membaca jalan pikiran si Attacker seperti apa jika melakukan serangan. Biasanya Attacker lebih maju selangkah dibanding dengan tim pemburunya.

Senin, 08 September 2014

General Penetration Testing Framework

Kali Linux is a versatile operating system that comes with a number of security assessment and penetration testing tools. Deriving and practicing these tools without a proper framework can lead to unsuccessful testing and might produce unsatisfied results. Thus, formalizing the security testing with a structured framework is extremely important from a technical and managerial perspective. 

The general testing framework presented in this section will constitute both the black box and white box approaches. It offers you a basic overview of the typical phases through which an auditor or penetration tester should progress. Either of these approaches can be adjusted according to the given target of assessment. The framework is composed of a number of steps that should be followed in a process at the initial, medial, and final stages of testing in order to accomplish a successful assessment. These include the following:
• Target scoping
• Information gathering
• Target discovery
• Enumerating target
• Vulnerability mapping
• Social engineering
• Target exploitation
• Privilege escalation
• Maintaining access
• Documentation and reporting

Whether applying any combination of these steps with the black box or white box approaches, it is left to the penetration tester to decide and choose the most strategic path according to the given target environment and its prior knowledge before the test begins. We will explain each stage of testing with a brief description, definition, and its possible applications. This general approach may be combined with any of the existing methodologies and should be used as a guideline rather than a penetration testing catch-all solution.

Target scoping
Before starting the technical security assessment, it is important to observe and understand the given scope of the target network environment. It is also necessary to know that the scope can be defined for a single entity or set of entities that are given to the auditor. The following list provides you with typical decisions that need to be made during the target scoping phase:
• What should be tested?
• How should it be tested?
• What conditions should be applied during the test process?
• What will limit the execution of the test process?
• How long will it take to complete the test?
• What business objectives will be achieved?

To lead a successful penetration testing, an auditor must be aware of the technology under assessment, its basic functionality, and its interaction with the network environment. Thus, the knowledge of an auditor does make a significant contribution towards any kind of security assessment.

Information gathering
Once the scope is finalized, it is time to move into the reconnaissance phase. During this phase, a pentester uses a number of publicly available resources to learn more about his or her target. This information can be retrieved from Internet sources such as:
• Forums
• Bulletin boards
• Newsgroups
• Articles
• Blogs
• Social networks
• Commercial or non-commercial websites

Additionally, the data can also be gathered through various search engines, such as Google, Yahoo!, MSN Bing, Baidu, and others. Moreover, an auditor can use the tools provided in Kali Linux to extract the network information about a target. These tools perform valuable data mining techniques to collect information through DNS servers, trace routes, Whois database, e-mail addresses, phone numbers, personal information, and user accounts. As more information is gathered, the probability of conducting a successful penetration test is increased.

Target discovery
This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides you with a complete image of the interconnected current technologies or devices and may further help you in enumerating various services that are running over the network. By using the advanced network tools from Kali Linux, one can determine the live network hosts, operating systems running on these host machines, and characterize each device according to its role in the network system. These tools generally implement active and passive detection techniques on the top of network protocols, which can be manipulated in different forms to acquire useful information such as operating system fingerprinting.

Enumerating target
This phase takes all the previous efforts forward and finds the open ports on the target systems. Once the open ports have been identified, they can be enumerated for the running services. Using a number of port scanning techniques such as fullopen, half-open, and stealth scan can help determine the port's visibility even if the host is behind a firewall or Intrusion Detection System (IDS). The services mapped to the open ports help in further investigating the vulnerabilities that might exist in the target network's infrastructure. Hence, this phase serves as a base for finding vulnerabilities in various network devices, which can lead to a serious penetration. An auditor can use some automated tools given in Kali Linux to achieve the goal of this phase.

Vulnerability mapping
Up until the previous phase, we have gathered sufficient information about the target network. It is now time to identify and analyze the vulnerabilities based on the disclosed ports and services. This process can be achieved via a number of automated network and application vulnerability assessment tools that are present under the Kali Linux OS. It can also be done manually but takes an enormous amount of time and requires expert knowledge. However, combining both approaches should provide an auditor with a clear vision to carefully examine any known or unknown vulnerability that may otherwise exist on the network systems.
Social engineering
Practicing the art of deception is considerably important when there is no open gate available for an auditor to enter the target network. Thus, using a human attack vector, it is still possible to penetrate the target system by tricking a user into executing malicious code that should give backdoor access to the auditor. Social engineering comes in different forms. This can be anybody pretending to be a network administrator over the phone forcing you to reveal your account information or an e-mail phishing scam that can hijack your bank account details. Someone imitating personnel to get into a physical location is also considered social engineering. There is an immense set of possibilities that could be applied to achieve the required goal. Note that for a successful penetration, additional time to understand human psychology may be required before applying any suitable deception against the target. It is also important to fully understand the associated laws of your country with regards to social engineering prior to attempting this phase.
Target exploitation
After carefully examining the discovered vulnerabilities, it is possible to penetrate the target system based on the types of exploits that are available. Sometimes, it may require additional research or modifications to the existing exploit in order to make it work properly. This sounds a bit difficult but might get easier when considering a work under advanced exploitation tools, which are already provided with Kali Linux. Moreover, an auditor can also apply client-side exploitation methods mixed with a little social engineering to take control of a target system. Thus, this phase mainly focuses on the target acquisition process. The process coordinates three core areas, which involve pre-exploitation, exploitation, and post-exploitation activities.

Privilege escalation
Once the target is acquired, the penetration is successful. An auditor can now move freely into the system, depending on his or her access privileges. These privileges can also be escalated using any local exploits that match the system's environment, which, once executed, should help you attain super-user or system-level privileges. From this point of entry, an auditor might also be able to launch further attacks against the local network systems. This process can be restricted or non-restricted depending on the given target's scope. There is also a possibility of learning more about the compromised target by sniffing the network traffic, cracking passwords of various services, and applying local network spoofing tactics. Hence, the purpose of privilege escalation is to gain the highest-level access to the system that is possible.
Maintaining access
Sometimes, an auditor might be asked to retain access to the system for a specified time period. Such activity can be used to demonstrate illegitimate access to the system without performing the penetration testing process again. This saves time, cost, and resources that are being served to gain access to the system for security purposes. Employing some secret tunneling methods, which make a use of protocol, proxy, or end-to-end connection strategy that can lead to establishing a backdoor access, can help an auditor maintain his or her footsteps into the target system as long as required. This kind of system access provides you with a clear view on how an attacker can maintain his or her presence in the system without noisy behavior.
Documentation and reporting
Documenting, reporting, and presenting the vulnerabilities found, verified, and exploited will conclude your penetration testing activities. From an ethical perspective, this is extremely important because the concerned managerial and technical team can inspect the method of penetration and try to close any security loopholes that may exist. The types of reports that are created for each relevant authority in the contracting organization may have different outlooks to assist the business and technical staff understand and analyze the weak points that exist in their IT infrastructure. Additionally, these reports can serve the purpose of capturing and comparing the target system's integrity before and after the penetration process.

-Copy Paste-
^_^

Rabu, 03 September 2014

Vulnerability Assessment vs Penetration Testing

There is always a need to understand and practice the correct terminology for security assessment. Throughout your career, you may run into commercial grade companies and non-commercial organizations that are likely to misinterpret the term penetration testing when trying to select an assessment type. It is important that you understand the differences between these types of tests.

Vulnerability assessment is a process to assess the internal and external security controls by identifying the threats that pose serious exposure to the organizations assets. This technical infrastructure evaluation not only points to the risks in the existing defenses, but also recommends and prioritizes the remediation strategies. The internal vulnerability assessment provides you with an assurance to secure the internal systems, while the external vulnerability assessment demonstrates the security of the perimeter defenses. In both testing criteria, each asset on the network is rigorously tested against multiple attack vectors to identify unattended threats and quantify the reactive measures. Depending on the type of assessment being carried out, a unique set of testing processes, tools, and techniques are followed to detect and identify vulnerabilities in the information assets in an automated fashion. This can be achieved using an integrated vulnerability management platform that
manages an up-to-date vulnerabilities database and is capable of testing different types of network devices while maintaining the integrity of configuration and change management.

A key difference between the vulnerability assessment and penetration testing is that the penetration testing goes beyond the level of identifying vulnerabilities and hooks into the process of exploitation, privilege escalation, and maintaining access to the target system(s). On the other hand, vulnerability assessment provides you with a broad view of any existing flaws in the system without measuring the impact of these flaws to the system under consideration. Another major difference between both of these terms is that the penetration testing is considerably more intrusive than the vulnerability assessment and aggressively applies all of the technical methods to exploit the live production environment. However, the vulnerability assessment process carefully identifies and quantifies all the known vulnerabilities in a non-invasive manner.

Why penetration testing?
When there is doubt that mitigating controls such as firewalls, intrusion detection systems, file integrity monitoring, and so on are effective, a full penetration test is ideal. Vulnerability scanning will locate individual vulnerabilities; however, penetration testing will actually attempt to verify that these vulnerabilities are exploitable within the target environment.

This perception, while dealing with both of these assessment types, might confuse and overlap the terms interchangeably, which is absolutely wrong. A qualified consultant always attempts to work out the best type of assessment based on the client's business requirement rather than misleading them from one over the other. It is also the duty of the contracting party to look into the core details of the selected security assessment program before taking any final decision.

Penetration testing is an expensive service in comparison to vulnerability assessment.

Penetration Testing Methodology

Penetration testing, often abbreviated as pentest, is a process that is followed to conduct an in-depth security assessment or audit. A methodology defines a set of rules, practices, and procedures that are pursued and implemented during the course of any information security audit program. A penetration testing methodology defines a roadmap with practical ideas and proven practices that can be followed to assess the true security posture of a network, application, system, or any combination thereof. This chapter offers summaries of several key penetration testing methodologies. Key topics covered in this chapter include:

• A discussion on two well-known types of penetration testing—black box and white box
• Describing the differences between the vulnerability assessment and penetration testing
• Explaining several industry-acceptable security testing methodologies and their core functions, features, and benefits
• A general penetration testing methodology that incorporates the 10 consecutive steps of a typical penetration testing process
• The ethical dimension of how the security testing projects should be handled 

Penetration testing can be carried out independently or as a part of an IT security risk management process that may be incorporated into a regular development life cycle (for example, Microsoft SDLC). It is vital to notice that the security of a product not only depends on the factors that are related to the IT environment but also relies on product-specific security best practices. This involves the implementation of appropriate security requirements, performing risk analysis, threat modeling, code reviews, and operational security measurement.

Penetration testing is considered to be the last and most aggressive form of security assessment. It must be handled by qualified professionals and can be conducted with or without prior knowledge of the targeted network or application. A pentest may be used to assess all IT infrastructure components including applications, network devices, operating systems, communication medium, physical security, and human psychology. The output of penetration testing usually consists of a report divided
into several sections that address the weaknesses found in the current state of the target environment, followed by potential countermeasures and other remediation recommendations. The use of a methodological process provides extensive benefits to the pentester to understand and critically analyze the integrity of current defenses during each stage of the testing process.

Types of penetration testing
Although there are different types of penetration testing, the two most general approaches that are widely accepted by the industry are the black box and white box. These approaches will be discussed in the following sections.

Black box testing
While applying this approach, the security auditor will be assessing the network infrastructure and will not be aware of any internal technologies deployed by the targeted organization. By employing a number of real-world hacker techniques and going through organized test phases, vulnerabilities may be revealed and potentially exploited. It is important for a pentester to understand, classify, and prioritize these vulnerabilities according to their level of risk (low, medium, or high). The risk can be
measured according to the threat imposed by the vulnerability in general. An ideal penetration tester would determine all attack vectors that could cause the target to be compromised. Once the testing process has been completed, a report that contains all the necessary information regarding the targets' real-world security posture, categorizing, and translating the identified risks into a business context, is generated. Black box testing can be a more expensive service than white box testing.

White box testing
An auditor involved in this kind of penetration testing process should be aware of all the internal and underlying technologies used by the target environment. Hence, it opens a wide gate for a penetration tester to view and critically evaluate the security vulnerabilities with minimum possible efforts and utmost accuracy. It does bring more value to the organization in comparison to the black box approach in the sense that it will eliminate any internal security issues lying at the target infrastructure's environment, thus making it more difficult for a malicious adversary to infiltrate from the outside. The number of steps involved in white box testing is similar to that of black box testing. Moreover, the white box approach can easily be integrated into a regular development life cycle to eradicate any possible security issues at an early stage before they get disclosed and exploited by intruders. The time, cost, and knowledge level required to find and resolve the security vulnerabilities is comparably less than with the black box approach.

Selasa, 02 September 2014

Mengelola Program Audit

Program audit dapat mencakup pertimbangan satu atau lebih standar sistem manajemen audit, yang dilakukan baik secara terpisah atau dalam kombinasi.

Manajemen harus memastikan bahwa tujuan program audit ditetapkan dan menetapkan satu atau orang yang lebih kompeten untuk mengelola program audit. Luasnya program audit harus didasarkan pada ukuran dan sifat dari organisasi yang diaudit, serta pada sifat, fungsi, kompleksitas dan tingkat kematangan dari sistem manajemen yang akan diaudit. Prioritas harus diberikan untuk mengalokasikan sumber daya audit program untuk mengaudit hal-hal penting dalam sistem manajemen.

Konsep tersebut pada umumnya dikenal sebagai audit berbasis risiko (risk based audit). Program audit harus mencakup informasi dan sumber daya yang diperlukan untuk mengatur dan melakukan audit yang efektif dan efisien dalam kerangka waktu tertentu dan juga dapat meliputi:
  1. Tujuan untuk program audit dan audit individu.
  2. Batas / jumlah / jenis / durasi / lokasi / jadwal audit.
  3. Prosedur program audit.
  4. Kriteria audit.
  5. Metode audit.
  6. Pemilihan Tim Audit.
  7. Sumber daya yang diperlukan, termasuk perjalanan dan akomodasi.
  8. Proses untuk menangani kerahasiaan, keamanan informasi, kesehatan dan keselamatan, dan hal-hal serupa lainnya.
Pelaksanaan program audit harus dipantau dan diukur untuk memastikan tujuan Perusahaan telah dicapai. Program audit harus ditinjau untuk mengidentifikasi kemungkinan perbaikan. Gambar di bawah ini adalah flowchart dari kegiatan program audit sebagai berikut: 


Sumber: ISO 19011:2011 (Di translate manual oleh Penulis) 

Prinsip Audit

Auditor ketika melakukan kegiatan audit mempunyai beberapa prinsip atau kaidah audit, yaitu: 

1. Integritas adalah dasar profesionalisme Auditor dan orang yang mengelola program audit harus: 
  • Melakukan pekerjaan mereka dengan kejujuran, ketekunan, dan tanggung jawab.
  • Mengamati dan mematuhi persyaratan hukum yang berlaku.
  • Menunjukkan kompetensi mereka saat melakukan pekerjaan mereka.
  • Melakukan pekerjaan mereka dengan cara yang tidak memihak, yaitu tetap adil dan tidak bisa dalam semua urusan mereka. 
  • Peka terhadap segala pengaruh yang mungkin diberikan pada penilaian mereka saat melakukan audit. 

2. Adil adalah kewajiban untuk melaporkan dengan jujur ​​dan akurat untuk temuan audit, kesimpulan audit dan laporan audit harus mencerminkan kejujuran serta akurat untuk kegiatan audit. Kendala yang ditemui selama audit dan opini terkait penyimpangan terselesaikan antara Tim Audit dan Auditee harus dilaporkan. Komunikasi harus jujur, akurat, obyektif, tepat waktu, jelas dan lengkap. 

3. Profesional adalah penerapan bentuk komitmen untuk mewujudkan dan meningkatkan kualitas pekerjaannya. Auditor harus mempunyai ketrampilan yang baik dalam bidang audit dan kecerdasan dalam menganalisis suatu masalah serta cermat dalam mengambil keputusan terbaik. 

4. Kerahasiaan adalah bentuk keamanan informasi yang harus diterapkan oleh Auditor dalam menggunakan dan melindungi informasi yang diperoleh ketika Auditor menjalankan tugas mereka. Informasi audit tidak boleh digunakan untuk keuntungan pribadi oleh Auditor atau Klien audit, atau dengan cara merugikan kepentingan dari Auditee. Konsep ini mencakup penanganan informasi yang bersifat sensitif atau rahasia. 

5. Independen adalah dasar untuk ketidakberpihakan audit dan objektivitas atas kesimpulan audit. Auditor harus independen terhadap kegiatan yang diaudit dan bertindak dengan cara yang bebas dari bias atau tidak jelas dan menghindari dari konflik kepentingan pribadi atau golongan. Auditor harus menjaga objektivitas selama proses audit untuk memastikan bahwa temuan audit dan kesimpulan didasarkan pada bukti audit. 

6. Pendekatan berbasis bukti adalah metode rasional untuk mencapai kesimpulan audit yang handal dan sistematis yang harus diverifikasi terlebih dahulu. Penggunaan sampel yang tepat harus diterapkan, karena ini berkaitan erat dengan kepercayaan dalam kesimpulan hasil audit.

Sumber: ISO 19011:2011 (Di translate manual oleh Penulis)