| 2.8 Compliance
14. Compliant External Test | |
|---|
| 2.8.14. Compliant External Test | | The purpose of this external penetration test is to emulate criminal activities that could be performed on the Internet application. Using a combination of scanning and enumeration techniques, the test will identify the external facing profile and investigate each facet for weaknesses and vulnerabilities. The application service provider run their own penetration tests on a regular basis to verify that any changes made to the hardware and software has been correctly implemented. Numerous standard tools such as NMAP and ACUNETIX are employed to give a diverse set of results and evidence that nothing silly has been left open. |
| 2. Independent Report. | | It is understandable that some parties may require the right to perform their own independent penetration test and the application service provider are happy to sign any appropriate declarations for IP address 82.165.8.62 to be analysed as the home of . | | This Internet application is totally self contained and does not establish trust links to external web services - any external links must be treated as a defect. The Internet application is ready to begin its operational role, but at the current time is waiting for a penetration test to be completed before it will become operational. This means that the penetration test can take place at any time and will not cause any operational disruption. |
| Stage 1. Target Acquisition. | | The test team will attempt to identify the key hosted services visible from the Internet by using a variety of exploration techniques, the public-facing assets of the Internet application will be discovered and documented. No specific Intrusion Protection System (IPS) has been enabled to thwart the penetration test team. |
| Stage 2. Enumeration. | | The test team will engage with the servers to gain detailed information from them. Handshaking tools enable the public view of software, versions and releases to be recorded. Port scanning will identify what services are enabled and disabled. All the tools and techniques that could be used by a criminal to attack the Internet application should be used, together with the Google hacking database. |
| Stage 3. Vulnerability Assessment. | | The test team will use its wealth of experience to isolate and attack the Internet application. Poor input data sanitization is a common cause of web page vulnerabilities and techniques such as Cross Site Request forgery (CSRF) are identified with the parts of the Internet Application.. |
| Stage 4. Exploitation. | | The test team will attempt to exploit the vulnerabilities identified and assessed to determine their impact. The assessment of the overall attack situation and plan of attack will dynamically change during this stage as the exploitation of each potential vulnerability is exposed. | | The test team will conduct such tests as they deem necessary during this project and these tests may include activities that might otherwise be construed as unethical and unlawful, however the test team are authorized by the application service provider to conduct such tests and for such tests to be deemed to be lawful. The application service provider accepts full responsibility for putting right anything that may be changed by any such test. |
| 8.4 Topology. | | On Wednesday 1st August 2012, this IP address had 14 open ports, 3 filtered ports and 983 closed ports. The web server was running Linux that was fully patched and up to date. The ports of significance were: | | 21 as the FTP port | | 22 as the SSH secure FTPS port | | 25 as the SMTP email port | | 53 as the domain port | | 80 as the HTTP port | | 106 as the POP3 email admin port | | 110 as the POP3 email port | | 143 as the IMAP email port | | 443 as the HTTPS port | | 465 as the SMTPS port | | 993 as the IMPAPS email port | | 995 and the POP3 email port | | 8443 as the alternate HTTPS port |
| 8.5 Root Level Files | | The following root level files can be viewed by the public and are the primary attack surface as: | | favicon.ico: an image to be shown on the address bar. | | index.c2: a program to show the home page and every other page in the application. | | index.html: a program to show the home page and nothing but the home page - this program is not normally used and is only provided for error message purposes. | | robots.txt: text file to tell search engines what folders may be navigated and copied - while it is accepted that many search engines will ignore such instructions, at least directions have been provided. |
| 8.7 Prerequisites | | The application is designed to operate using any browser on any kind of computer or smart device. To comply with the latest Information Commissionaires directions regarding ensuring positive approval from users to use a cookie, the role of cookies has been abandoned. JavaScript must be enabled by every user without any exception - they cannot sign-in without JavaScript. | | The application has been proven on all browsers from Internet Explorer version 6 to 9, Firefox, Chrome and Safari. The role of pages may not be identical between all browsers, but all are usable for the purpose of managing client and product data. |
| 8.8 Vulnerabilities | | The application service provider continually monitor the professional security press and undertake strategic reviews as new threats are identified. Because members of the public do not sign-in, the primary attack surface is data entry fields and URL manipulation. | | Cross Site Scripting and SQL Injection has been eliminated by using a reusable Anti-XSS function library that sanitizes every input from any source. | | Malicious File Execution and Insecure Direct Object References has been eliminated by not supporting documents uploads and ensuring that URL data is of no benefit to a criminal. | | Never say never, but every possible layer of security that can be cost justified has been applied and operates in an environment where odd programs that could violate the architecture are simply not tolerated. |
| 8.7.1 Public Web Pages. | | The public static web pages are not at risk from any external hacking attack on the one web server program. The threat level is as low as it can get as the public web pages serve no significant purpose and no criminal has anything to gain by a hacking attack. |
| 8.7.2 Sign In Web Page. | | The sign in page with 3 date entry fields and one drop down list provide an attack surface for criminals. Many lines of code have been devoted to resisting all attacks for the last 10 years and every external penetration test has failed to discover any kind of vulnerability with this very small interface. | | Every experienced hacker is fully aware that to try to attack a web site by the front door is very unlikely to be successful. Press reports of real-world attacks that have got into web sites have always exploited a back door vulnerabilities in installed utilities and client networks. |
| 8.9 External Consultants. | | The application service provider employ external security and testing consultants to periodically verify that internal security methods and procedures are fit for purpose. The external consultancy is permitted to use any hacking tool that is considered to be legal where the EU is disputing the role of any automated scanners and white-hat hacking tools. It is expected that the external consultancy will employ different tools and methods to what an in-house team have used. | | The terms of engagement is very simple, the application service provider provide the IP address and the external consultants come back with a detailed report - hopefully saying everything is OK. Any defect that has ever been discovered has been resolved the same day as an oversight or careless implementation. It can sound frustrating that a penetration test will normally create no active things to do, but that is the true value of an external penetration test - confidence that the Internet application is being operated in accordance with accepted best practice. | | While the external consultants report must be company confidential, it contains similar information to what a 16 year old hacker with numerous scanners could discover in a few days. A penetration test is not a score card with a win-fail result; it is just one extra piece of information that adds to the overall business compliance picture. | | The application service provider have experienced leather bound PenTest reports and encrypted communications that may be designed to look impressive, but low level hacking is not an executive game. A simple report showing hard facts and any exceptions is what is needed. Telling us the image name of the 163 files in the image folder will not improve compliance and motherhood about potential DoS attacks will look plain silly. | | Test after test after test saying everything is OK can suffer from a crisis of confidence that is so each to resolve by adding one poorly constructed program into the application. If the sanitization of input fields or URL data is displayed by one program, then the detection of this one known defective program is evidence that the penetration test has been correctly undertaken and a positive vulnerability has been identified that has the scope of impact to deface one report program. This method of working has established a good working relationship over the last ten years. |
|
|