Penetration Test (1)

FreeBSD Portaudit is a software vulnerability auditing software for Free BSD. The ports-mgmt/portaudit port polls a database, updated and maintained by the FreeBSD Security Team and ports developers, for known security issues.

How to use Portaudit
To begin using Portaudit, one must install it from the Ports Collection:

# cd /usr/ports/ports-mgmt/portaudit && make install clean

During the install process, the configuration files for periodic(8) will be updated, permitting Portaudit output in the daily security runs. Ensure the daily security run emails, which are sent to root's email account, are being read. No more configuration will be required here.

1. Cross site scripting (XSS)
The “most prevalent and pernicious” Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

2. Injection flaws
When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter — which interprets text-based commands — into executing unintended commands. “Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application,” OWASP writes. “In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments.”

3. Malicious file execution
Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

4. Insecure direct object reference
Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Certain prerequisites are necessary to make an intrusion detection system worthwhile, including the following:
• Network administrators with intrusion detection experience.
• Network administrators with the spare time to monitor a network.
• A security philosophy that includes the willingness to integrate business processes with logging technologies.
• A network infrastructure that has been well designed and hardened.

Without these elements, the intrusion detection system will be an expensive system that won’t produce results. IDSs are powerful, but complicated. They can be used to catch hackers, but they need to be wielded by an experienced network administrator. However, when they are purchased by an organization that mistakenly thinks the system will create results automatically, they fail miserably.

There are two major goals of a network vulnerability assessment (NVA). The first goal of a technical vulnerability assessment is to test everything possible. The second goal of a technical NVA is to generate a clear, concise report that will be read and used by your management or your customers

To test everything possible is often useful to think in "new-age" terms and consider the NVA a holistic NVA. The reason that it is important to test the entire security domain is somewhat obvious. An intruder only needs one hole to break into the network; if that hole lies in the primary firewall or through a modem connected to an executive's desktop computer, it really does not matter. There are some factors that will limit how deep you can make the NVA.

Choosing the right penetration testing (pentest) vendor is one of key success factor for pentest implementation. There are many consideration when choosing the right vendor your corporate. Usually the common question about this question are:

1. Vendor reputation vs. vendor ability?
This question is just the same as basic question about what we need vs what we want. Dealing with reputable vendor e.g. from big four or large it consulting company would be very nice for company portfolio. We can display the result of test to board management or even to internal that assessment already running.

Compare to choose the small unknown vendor, who actually work as underground hacker, maybe will deliver better result. But since nobody knows the vendor sometimes the result is could not be accepted by everyone

2. How deep and how far?
Usually pentest only performed by 2-3 week and the pentester is testing the environment from inside and outside the corporate network. However there is no exact limit how deep and how far we could perform pentest. The good pentest vendor always offer best alternative pentest strategy. Not only their ability but how they could deliver the result in short time of project.

3. Who will close the finding?
Result from pentest should be a finding list in every IT infrastructure or process. Many firm could found large leakage in information system security but few that could give good solution for the problem. As you should know, the vendor who perform the pentest and the vendor who close the finding should be different to prevent good segregation of duties.