Network Penetration Test Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Step Activity 1 Network Surveying Identify doma information. 2 Port Scanning Identify IP a encapsulated 3 Vulnerability Scanning & Service Identification Identify syste and services Identify poss or DMZ syste 4 Verification & Exploitation Attempts to id gain complet * Due to the disruptive nature of certain exploits, consent will first be o Our Network Security Assessments are executed based on the standards such as ISO 27001:
Objective ain names, server names, IP addresses, network map and ISP/ASP addresses of live systems, internal network addressing, tunneled & d protocols, routing protocols and active services. em type, system enumeration, OS type & patch level, services types application types & patch level. ible vulnerabilities, list of secured vs. unsecured areas, list of internal ems, list of mail servers and naming conventions. dentify list of actual vulnerabilities minus false positives and attempt to e control by performing commonly known exploits*. obtained from JPN before performing these exploits. e following methodology and follows best industry security
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Web Application Penetration Test WEB APPLICATION OBJECTIVES Ascertain susceptibility of web applications to unauthorized attemp KEY ACTIVITIES Web Application Penetration Testing shall be carried out from an “e internet/Intranet gateway), based on 3 steps methodology: 1. Web Services Identification 2. Application Vulnerability Test 3. Exploit test and verification EXPECTED RESULTS Identify vulnerable web applications and the respective application
N PENETRATION TEST pts via tweaking of its functionality and programming logic. entry point” perspective, i.e. from the point of end-user access (public -specific vulnerabilities.
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Web Application Penetration Test
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Web Application Penetration Test Phase Activity 1 Web Services Identification Web services identifica application to determine objectives of identifying t • To identify both TCP • To identify the type o • To identify specific ap Also, based on applicatio 2 Application Vulnerability Test and Findings Upon identification of t performed: • Perform checks to ide • Perform vulnerability • Perform checks to ide 3 Exploit Test and Verification Customized scripts and Based on the identified based on the test scope We will advise any preca no precautions need to that application data be Our Web Application Penetration Test is executed in 3 phases
Description ation is the process of connecting to TCP or UDP ports on the target e what type web services are running or in a LISTENING state. The the web services are: and UDP web services running on the target system (HTTPS, HTTP) f applications running on the target system pplications or versions of a particular platform on banners obtained, a best guess would be derived. he possible application and services running, the following checks are entify possible applications currently running assessment to identify possible application vulnerabilities entify risky services/daemons executed by the applications potential exploits will be executed upon agreed schedule date and time. vulnerabilities the list of selected customized scripts would be enabled . autions which user may need to take before a test is performed. Generally, be taken, as we do not perform destructive testing. However, we advise backed up regularly and tested. s:
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Web Application Penetration Test No Checks 1 Input Validation Information from web re of client side validation the server end. 2 Authentication and Session Management Authentication and sess managing active sessio authentication mechani including password cha other related functions. 3 Authorization Access control, sometim and functions to some u govern what “authorized 4 Exception Management Improper handling of err common problem is whe and error codes are d details that should never 5 Configuration Management This is to examine how secured, if the applicatio The security assessment includes checks for application securi
Description quests must be validated before being used by a application. Independent using JavaScript or otherwise, the parameters must also be validated at sion management includes all aspects of handling user authentication and ons. Authentication is a critical aspect of this process, but even solid sms can be undermined by flawed credential management functions, nge, forgot my password, remember my password, account update, and mes called authorization, is how an application grants access to content users and not others. These checks are performed after authentication and d” users are allowed to do. rors can introduce a variety of security problems for a web site. The most en detailed internal error messages such as stack traces, database dumps, isplayed to the user (hacker). These messages reveal implementation r be revealed. effectively the administration interfaces & sensitive configuration data are on provides an administration interface that allows it to be configured. ity issues which will cover, but not limited to the following:
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Web Application Penetration Test The security assessment includes checks for application securi No Checks 6 Sensitive Data Most applications have system somewhere. The or proprietary informatio information. 7 Cryptography The web service consu service. The web service 8 Canocalization, Locale and Unicode Ensuring the application
ity issues which will cover, but not limited to the following: Description a need to store sensitive information, either in a database or on a file e information might be passwords, credit card numbers, account records, on. Frequently, encryption techniques are used to protect this sensitive umer’s identity shall be validated before being allowed to invoke a web e consumer shall also validate the identity of vendor’s application. is robust when subjected to encoded, internationalized and Unicode input.
Host Assessment (Operating Systems) Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. HOST ASSESSMENT OBJECTIVES Ascertain how robust the systems are to a direct frontal break-in at KEY ACTIVITIES The Host Assessment is performed at System Level - Focuses on t etc). Phase 1: Review System security configurations Phase 2: Recommend Improvements EXPECTED RESULTS List of non-compliant security configurations based on best practice
(OPERATING SYSTEMS) tempt. the security configuration of the Operating System (Windows, Linux, es.
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. The Host Assessment seeks to ascertain how robust the syste of a case that all perimeter defenses have now been breached residing on the system the state of its hardening. The objective of this exercise is to audit the security configu vulnerabilities, which could be exploited either “in-isolation” vulnerabilities). The Host Assessment focuses on the securit Linux, etc.) Host Assessment (Operating Systems)
ms are to a direct frontal break-in attempt. This is a risk scenario d, and the only barrier between the attacker and the information ration of the servers to find out possible weakness or eminent ” or “in-correlation” with others (for example application-layer ty configuration of the Operating System of Servers (Windows,
Host Assessment (Network/Security Devices) Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. HOST ASSESSMENT (NET OBJECTIVES Perform review of security configurations of network devices. KEY ACTIVITIES Targets network devices located within the same LAN. 1. Review System security configurations, End-of-Life (EOL), curr 2. Recommend Improvements EXPECTED RESULTS List of security configurations vulnerabilities with recommendations
TWORK/SECURITY DEVICES) rent version, firewall rules, etc. s.
Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. We will perform selective testing of devices such as routers, fire verify/validation that the devices are functioning according to th No Task 1 Router testing • Verify the router type • Verify if the router is (PAT) • Verify the penetration 2 Firewall testing • Verify the viability of S • Measure the use of s • Measure the ability of • Ability to manage an and management of s • Verify Access Contro 3 IPS/IDS testing • Verify IPS/IDS type w • Test signature sensit • Verify and test IDS/IP Host Assessment (Network/Security Devices)
ewalls and IDS/IPS. The objective of these tests is to heir configured security settings. Description with information collected from intelligent gathering providing network address translation (NAT) and port address translation n from strategically determine packet TTL setting. SYN stealth scanning through the firewall enumeration scanning with specific source ports through the firewall for enumeration f the firewall to handle overlapped fragments, tiny fragments ongoing series of SYN packets, response to packets with the RST flag set standard UDP packets ol policy with information collected ivity PS capability base on various approached.
Host Assessment (Database) Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. HOST ASSESSM OBJECTIVES Ascertain how robust the systems are to a direct frontal break-in at KEY ACTIVITIES Focuses on the security configuration of the Database. Phase 1: Review Database security configurations Phase 2: Recommend Improvements EXPECTED RESULTS List of non-compliant security configurations based on best practice
MENT (DATABASE) tempt. es.
Database Security Assessment Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. The Database Security Assessment seeks to ascertain how rob risk scenario whereby an attacker is already in the internal sensitive data in the database is the state of its hardening, i.e. h During this exercise our consultants will audit the security co eminent vulnerabilities due to misconfiguration or default/wea automated tools and manual checks. Among the Database configuration checks includes: • User Account Setup and Privileges • Access Controls • Database Organization/Schema • Audit Policy & Logging Settings • Default configuration and setup • The Database Security Assessment can be performed on a and even Informix
bust is the Database to a direct frontal break-in attempt. This is a network and the only barrier preventing him from accessing how secure is the Database being configured. onfiguration of the database to find out possible weaknesses or ak settings. The audit is performed by using a combination of any kind of database including MSSQL, MySQL, Oracle, Sybase
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Application Performance Test Approach & Methodology APPLICATION PE OBJECTIVES Provide a strategic assessment to evaluate the overall level of app scalability under a various given workload level. It is also meant to service delivery. KEY ACTIVITIES 1. Identify the Test Environment 2. Identify the Performance Acceptance Criteria 3. Plan and Design the Tests 4. Configure and Test the Test Environment 5. Execute the Test EXPECTED RESULTS Remediation actions and recommendations with the intention of pro delivery.
ERFORMANCE TEST lication and system responsiveness, throughput, reliability and help establish the performance acceptance criteria for application oviding incremental improvements to overall application service
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Application Performance Test Approach & Methodology Load Test The most common purpose of Application Load Tests is to anticipated peak load conditions. We will start with a small number of virtual users and then inc observe how our application performs during this gradually inc for our performance acceptance criteria. The following steps are involved in our load-testing process: Step 1 - Identify performance acceptance criteria Step 2 - Identify key scenarios Step 3 - Create a workload model Step 4 - Identify the target load levels Step 5 - Identify metrics Step 6 - Design specific tests Step 7 - Run tests Step 8 - Analyze the results
o determine the Application’s behavior under both normal and crementally increase the load from normal to peak. We will then reasing load condition. Eventually, we will cross a threshold limit
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Application Performance Test Approach & Methodology Stress Test Stress testing is a type of performance testing focused on de under extreme conditions. With application stress testing, we a network congestion, and performance bottlenecks on different common to find defects related to race conditions and general m The objective of stress testing is to identify application issues These conditions can include heavy loads, high concurrency, o in finding synchronization and timing bugs, interlock problems, The idea is to stress a system to the breaking point in order tested system is not expected to process the overload without manner (e.g., not corrupting or losing data).
etermining an application’s robustness, availability and reliability are likely to uncover defects related to data locking and blocking, components or methods across the entire application. It is also memory leaks from shared code or components. s that arise or become apparent only under extreme conditions. or limited computational resources. Proper stress testing is useful priority problems, and resource loss bugs. r to find bugs that will make that break potentially harmful. The t adequate resources, but to behave (e.g., fail) in an acceptable
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Application Performance Test Approach & Methodology The following steps are involved in our stress-testing process: Step 1 - Identify objective Step 2 - Identify key scenarios Step 3 - Identify workload Step 4 - Identify metrics Step 5 - Create test case Step 6 - Simulate load Step 7 - Analyze the result Both tests will be performed in a stand-alone environment (i.e tes as network congestion) in order to obtain accurate results. The close simulation of actual user’s environment such as: i. Simulation of real user’s activities ii. Different user behaviour in one test iii. Testing of dynamic response of the web application iv. Load level definition v. Testing of HTTPS site with SSL content vi. To support different platforms and technologies
st environment) to eliminate any external contributing factors (such application load test and stress test can be further customized for
Approach & Met 3.4 Post-Assessment Pha © 2021 Nexagate Sdn Bhd. All Rights Reserved. 03
thodology ase
Analysis & Reporting Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. ANALYSIS & OBJECTIVES Document assessment findings and respective recommendations. KEY ACTIVITIES Security Posture Assessment reports are divided according to the f 1. Executive Summary 2. Summary of Findings 3. Detail Findings Each finding documented in the SPA reports is assigned a risk ratin Performance Indicator (KPI), each finding shall also be referenced EXPECTED RESULTS Set of reports for based on respective SPA activity.
& REPORTING following: ng of High, Medium, Low or Informational. Also as part of the SPA Key to the relevant ISO/IEC 27001 Annex A controls.
Analysis & Reporting Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. After successfully completing all assessment activities, findings Posture Assessment report and is divided according to the follo 1. Executive Summary This section contains a high-level write-up of the project, the conclusion intended for top management. 2. Summary of Findings A table summarizing the findings is included to provide an u mid management or Managers. 3. Detail Findings The detail findings includes details of the finding itself, the r purpose of this section is to assist the working level with the well as screenshots are also included. * Please refer to Sample Reports in Section 20 of the Techn
s and recommendations will be documented in a Security owing: e findings presented using graphical charts, and a summarized umbrella view of findings and for ease of reference, intended for risk impact and the consultant’s recommendation. As the e remediation/mitigation activities, step by step instructions as nical Proposal.
Analysis & Reporting Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Each finding documented in the SPA reports is assigned a risk Low. These are explained in the table below: Risk Rating CRITICAL: Should be addressed immediately; imminent threat to affected system(s) Critical risk level findings successfully exploited, w compromise. Some othe • Buffer Overflows • Format String Attacks • Default Login Creden • Known Backdoors • Misconfigurations Fairly large number of w advantage of these type HIGH: Immediate attention is recommended High risk level findings a information stored on the Examples of high-risk le disclosure of file content filtering rules and securit vulnerability that will jeop example, mail relaying)
rating. The risk rating is classified as Critical, High, Medium, or Description s are the highest priority problems. These represent vulnerabilities that, if would lead to code execution, privilege escalation, full system and network er type of vulnerabilities rated as Critical Risk Level is (but not limited to): s ntials worms (ex: Sasser, Code Red, Nimda) and malwares were known to take s of vulnerabilities to propagate itself and causes disruptions. are a vulnerability that may provide hackers with remote access to specific e host, including security settings and file-system. vel findings include: read and/or write capabilities on file system, partial ts, access to certain files on the host, directory browsing, disclosure of ty mechanisms, susceptibility to denial of service (DoS) attacks, pardize the integrity of the system, and unauthorized use of services (for
Analysis & Reporting Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. Each finding documented in the SPA reports is assigned a risk Low. These are explained in the table below: Risk Rating MEDIUM: Inspection is recommended Medium risk level finding host, such as precise ve condition such as insecu With this information, ha LOW: Informative, minimal actions needed Low risk level findings a and open port which ma It is suggested for low ris configuration.
rating. The risk rating is classified as Critical, High, Medium, or Description gs are vulnerability that may expose some sensitive information from the ersions of services or vulnerability that may be exploited in certain ure protocol. ackers could research potential attacks to try against a host. re not vulnerability; instead they are information such as service running ay be in used by the system. sk level finding to be always monitored and secured by IDS and firewall
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Analysis & Reporting Approach & Methodology Samp
ple of Findings
© 2021 Nexagate Sdn Bhd. All Rights Reserved. Hardening Workshop Approach & Methodology HARDENING OBJECTIVES Assist & manage mitigation measures based on assessment recom KEY ACTIVITIES Mitigation/hardening recommendations shall be documented in the (and their respective vendors) on how to perform the mitigation and As a value added services the hardening status of affected resourc Ticketing System. • Presentation & discussion of SPA findings with system vendors • Monitoring & tracking of hardening status through the use of "Re EXPECTED RESULTS Workshop will be scheduled according to respective information sy and vendor.
G WORKSHOP mmendations. e SPA reports. Additionally, Nexagate will assist to guide the client d hardening exercise. ces will be monitored and tracked using our own Remediation and system administrators emediation Ticketing System" ystems, whereby it shall be attended by the respective administrator
Post Review Approach & Methodology © 2021 Nexagate Sdn Bhd. All Rights Reserved. POST OBJECTIVES Verify mitigation status (Open/Close) of all findings discovered. KEY ACTIVITIES Last sweeping audit of all Information Systems which were found w Note: • As auditors, the same Nexagate consultants cannot be involved • Post Review Testing is after JHEKS has rectified the findings as • The Post Review Testing shall take place ONLY upon notificatio EXPECTED RESULTS Respective reports are updated with the mitigation status of all find
T REVIEW with vulnerabilities and with recommendations to rectify them. d in direct rectification activities for independence objectivity. s per Nexagate’s recommendations. on by JHEKS on readiness to commence the review. ding discovered.
Approach & Met 3.5 Security Testing Tools © 2021 Nexagate Sdn Bhd. All Rights Reserved. 03
thodology s