Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Always make sure you are Pentesting on the environment for which the Pentest was intended for and you have approval for. A story where the Pentest ended even before starting.

A short story where the Penetration test ended before it started
Sometime back I was assigned a Web Application Penetration testing job on a Thursday afternoon for a project that was going live on very next Monday.
Sounds familiar Pentesters!!! Yeah this is one of classic cases where the fair assumption is that my application is already secure and the code is developed as part of Secure SDLC.
I am not sure why did we even (as a team) accepted this assignment. Anyways I took the download from my Manager about the assignment. I was told that all the pre-requisites for PenTesting have been met!
I thought this is a good opportunity and guided that person – (who assigned me the job) to PTES and OSSTMM. No wonder he was not even aware of this.
Well anyhow the job was already in and we had to execute it to the best as per our capabilities.
The supposed environment was Test environment. Once the PenTest was over and security loopholes closed this was to go live on Internet.
Since I always make sure to follow the CHECK CHECK CHECK policy (OSSTMM / PTES) before firing my tools: I looked at the URLs in the Test Data provided.
Looking at the URLs it appeared to me that this is not a Test environment.
So I just issued a lookup on the URL and not very surprisingly it came to light that the URLs are actually LIVE on internet!!! => Already in production.
So should I still proceed with the Pen-test?

Since the approvals for PenTest were very specific to the Test environment (Internal Network) proceeding with PenTest would mean an Unauthorized PenTest.I immediately sent out a notification to the Stakeholders and within Minutes there were Dozens of emails floating around to check how did this happen.
Well how did that happen was not our concern. We ended the PenTest there with a simplest report for closure.
There have been many incidents where a PenTester was questioned by Security Operations and Incident Response Teams for the traffic generated in a certain Network segment.
So, few important points to remember are:
  1. Always make sure you know the environment very well in which you are testing.
  2. Have thorough discussions with the technical teams including the network operations until you get clarity of the architecture from the source to Target.
  3. Always keep safe the In-Scope Targets, Approved Source IPs and approvals for conducting the PenTest.
  4. Keep the Stake Holders and Security Operations teams informed. e.g. When You plan to start, What you plan to do – Best is to send them a detailed execution plan.
  5. If you suspect that “People may not know what they are talking about” do not start until you get clarity? Be more cautious especially in highly complex networks scenario where multiple vendors are handling multiple network segments.
  6. Start slow probes on the target and confirm from Security Operations if they are seeing the traffic from your machine to that target and if everything looks normal. It’s easier to catch and remediate any AB-Normal traffic at initial stages.
    Things will be way difficult if you started with a Heavy Nessus scan at the beginning.
Yes one may argue that what is a Pen Tester’s fault if correct information was not passed on? I too agree to that. However such mess impacts everyone. Lots of work for various teams will kick in and valuable time and effort is wasted in firefighting.

And at the end of the Day, if your observations and cautiousness saves this mess then not only you get a satisfaction of doing a good job but also you receive loads of appreciation.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more