RE: Bank pen test

From: Omar A. Herrera (omar.herrera@oissg.org)
Date: Fri Mar 03 2006 - 15:46:36 EST


Hi Noe,

> -----Original Message-----
> From: Noe Espinoza Mancillas [mailto:nespinoza@grupowissen.com]
>
> hello all!
>
> now i'm still wait to start an internal penetration test in a bank .. they
> have a lot of servers.. HP Ux, Win, Sun, Linux , etc. and now they are
> using ISS (scanner) to find vulnerabilitys and then they make a remedation
> with some scripts and other comercial tools... so..
> now they need help becouse the ISS scanner every time that are running
> found
> the same vulnerabilitys after patchs the servers. I told them that is
> really
> importan to use some other diferents scanners and make an penetration test
> to review if the vulnerabilities are really risk for the bussines!!.. and
> they don`t accept it ..

I agree with you. Some tools will still report that the vulnerabilities
exist even after applying the patches (if I remember correctly, this is
common with Sun Solaris, since several patches do not update version numbers
and some vulnerability scanner tests rely on these).

Using several tools might give you an idea if the patches were not correctly
applied or if some of the tools are not detecting the changes. Ideally, you
should know more details about the vulnerability that is still being
reported and how exactly the tool is testing for it (not a simple task with
closed source commercial tools, but putting a protocol analyzer in the
middle might give you an idea of what is going on).

Also, if there is a manual and safe way to determine if the vulnerability
still exists, you might want to go for it (e.g. buffer overflows are usually
not safe, because if the vulnerability still exists you might crash the
machine, and if it is a critical server...).

> buy they need it.. need to make a remediation of all the vulnerabilities
> in
> all the 4000 servers!
>
> so.. they ask for a pent test for only 20 servers.. and i don`t know how
> can
> i select the number of servers that i need to test to be sure that all the
> rest of the servers have the same vulnerabilitis!!.. ?

There are most probably differences between server configurations that
result in different degrees of security. Even if they require you to only
scan 20 of them you should make this clear (even if they claim that
configuration is identical, they might not have a patch log that actually
confirms that all servers have the same level of updates).

Now, just claiming that they must review all of their servers is not going
to help them or you. This is the kind of situation where you need soft
skills to make your way. Banks (at least the ones I know of) are much closed
institutions with strict procedures for some things (that doesn't
necessarily mean that security is included). It might mean however that
things have to be done their way and claiming that "their way" doesn't work
without proof usually results in them ignoring you completely.

Try this: select a representative sample of the most critical servers (i.e.
if they have 2 email server, one active and one backup, don't waste your
time for now and only scan one of them). Select your servers based on their
importance to the business. Hence, you will need to do some research on the
business; do not expect bank personnel to be particularly open to this kind
of information requests. Typical examples:

* Databases. There are usually hundreds of databases within banks, you might
want to select a few those holding client information or information
necessary for critical services (i.e. real time)

* Front-end servers for important applications (e.g. the ones to which
e-banking clients connect to)

* Back-end application servers. You might want to select some of the
application servers that host client applications and serve the front end
servers.

* Internal/Intranet servers. Banks usually have also several critical
applications that do not interact directly with the client but are
necessary. These might include intra-bank information systems and other
systems that connect to other types of financial institutions to query/send
information.

After you select your servers and perform your penetration test, depending
on the results, they might simply recognize that they need to go further
with the testing. Also, depending on the location, you might want to remind
them of any regulations that require security assessments, but be careful
with the way you say it (i.e. simply stating that it makes sense to perform
this and that assessment to comply with regulation X might get you
somewhere, whereas accusing them of ignoring regulation and not hiring you
will simply result in them kicking you out and hiring someone else, if they
please).

This is essential for dealing with this type of institutions; good technical
skills are not the only thing, you need to establish and effective
communication channel with them; banks are inherently hard to communicate
with, specially regarding information security issues.

> and what kind of tools can i use to make that!?
>
> i never been in that kind of penetration test :(..
>
> i think to use Core Ipact!
>
> any sugestions?

Tools such as Core Impact might be helpful, definitely. However, you need to
take into account the characteristics of the environment you are trying to
assess. Banks usually have several dozens of home-made applications (both
for intra-bank communications and for e-banking.

Even if they use some kind of application frameworks, they still code a lot
themselves to produce their applications. Therefore, it really makes sense
to identify the most common programming language (specially for web based
services) and try to manually perform security assessments on these
applications (most automated tools will have a limit to do this kind of
testing).

So, look for things like:
* SQL injections
* Inappropriate session management
* Insecure communications (you might find confidential data travelling
unencrypted through the internal network; the fact that it is the internal
network doesn't make the data more secure)
* Information leaks through source code

Note that web services published on the Internet might be more polished than
internal services (for obvious reasons).

Some final words: No matter what the people in the bank tell you about some
server/application not being important. Always be extremely careful with
what you do. Some applications within banks are very sensitive to time
response (i.e. you might actually cause a financial impact if you crash a
critical server). Relationships between servers and applications are not
obvious sometimes, so make sure you get all the information you can about
the things you will be testing before starting. Make sure you have the
needed legal stuff in your contract, be careful to not get out of the scope
and make sure their technical contact will be available at any time while
the tests are being conducted.

I hope this helps :-)

Regards,

Omar A. Herrera

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT