560SampleReport.pdf

Internet Infrastructure

Network Penetration Test

Final Report

Prepared for Target Widgets, Inc.

By PenTest, Inc.

September 15, 2009

Sensitive: The information in this document is not to be disclosed outside of

Target Widgets, Inc. or PenTest, Inc. without prior written consent of both

organizations.

Table of Contents

1. Executive Summary.....................................................................................................3

2. Introduction .................................................................................................................5

3. Test Methodology........................................................................................................7

4. Findings .....................................................................................................................12

4.1 High-Risk Findings............................................................................................13

4.1.1 VNC Offers Remote Control of Mail Server Across Internet ...................13

4.1.2 Guessable Password Allows for Remote Compromise of Mail Server.....13

4.1.3 Unpatched Windows Machine on DMZ Allows Exfiltration of PII .........14

4.1.4 High-Risk: Unencrypted PII on DMZ Server............................................15

4.2 Medium-Risk Findings ......................................................................................16

4.2.1 OpenSSH Flaw Could Allow Unauthorized Access on Linux Server ......16

4.2.2 Excessive Open Ports Indicates Lax Firewall Rules and Hardening.........16

5. Conclusions ...................................................................................................................18

Sensitive: The information in this document is not to be disclosed outside of

Target Widgets, Inc. or PenTest, Inc. without prior written consent of both

organizations.

1. Executive Summary

This report presents the results of a penetration test of Target Widget’s Internet

Infrastructure performed by PenTest, Inc. from March 8, 2009 to March 22, 2009. The

test’s scope focused on Internet-accessible systems on the 192.168.14/24 and

192.168.18/24 subnets, which make up the primary DMZ for Target Widgets. The

project was focused on finding and exploiting server-side vulnerabilities in a network

penetration test to determine Target Widget’s business risk profile associated with

Internet-based attacks. Client-side testing, web application manipulation, denial of

service, and social engineering were not included in the scope of the project.

As described in more detail in the technical findings in the rest of this report, PenTest,

Inc. discovered significant security vulnerabilities in the target infrastructure that pose a

high-risk to Target Widget’s business. In particular, PenTest’s personnel were able to

gain access to Personally Identifiable Information (PII) of over 4 million Target Widgets

customers. If a malicious attacker were to exploit these flaws to steal this sensitive

information, Target Widgets could face brand tarnishment, government investigations,

and possibly fines, with significant impact to its business. Compared to other companies

in the widget industry, the security of Target Widget’s Internet DMZ was found to be

relatively weak.

To address these issues, PenTest, Inc. recommends that Target Widgets employ a series

of short-term tactics and long-term strategies to improve security. From a short-term

perspective, PenTest, Inc., recommends that Target Widgets conduct the following

actions within one week or less to prevent malicious attackers from compromising the

PII:

• Block inbound Virtual Network Computing (VNC) access to DMZ systems from

the Internet, managing them from the local console or internal network until

Target Widgets selects and deploys a suitably secure remote management tool.

• Change the easy-to-guess passwords for all accounts, especially any accounts

used for system administration, on machine 192.168.14.21, the mail server on the

DMZ. Investigate this machine to determine if malicious attackers compromised

the system prior to the PenTest, Inc. project.

• Update patches of all software on the database server at 192.168.14.57 to lower

the chance that it can be compromised. Target Widgets personnel should likewise

analyze this machine to determine whether it has been compromised by attackers.

• Apply an encryption solution to protect all PII stored on sensitive machines,

especially on the database server at 192.168.14.57.

While these recommendations will deal with the immediate issues discovered during the

test, PenTest, Inc. recommends that Target Widgets’ management institute significant

changes in the overall security practices of the DMZ environment to ensure that these or

related issues do not recur. From a longer-term perspective, PenTest, Inc. recommends

that Target Widgets apply the following recommendations over the next thirty-to-sixty

days:

Sensitive: The information in this document is not to be disclosed outside of

Target Widgets, Inc. or PenTest, Inc. without prior written consent of both

organizations.

• Select and deploy a secure solution for remote management of servers across the

Internet that relies on strong encryption, such as Secure Shell (SSH), IPsec Virtual

Private Networks (VPNs), or Secure Sockets Layer (SSL). The solution should

also utilize strong authentication, such as one-time passwords, time-based

authentication tokens, or challenge/response tokens.

• Deploy and configure password-complexity enforcement tools on all DMZ

systems to prevent users from choosing easy-to-guess passwords. Once such

tools are deployed, require users to change their passwords.

• Update the patching policy and process of all servers on the DMZ to ensure that

critical patches are tested and deployed within 24 hours of release by the vendor.

• Devise and apply updated hardening documentation for secure configuration of

each machine on the DMZ, focusing specifically on disabling unneeded services.

• Review the filtering rules on border firewalls and routers, reconfiguring the

devices to close all unneeded ports and services on both an inbound and outbound

basis. Allow only those ports with a clear, well-documented business need.

• Determine whether there is a business need to store PII information on the DMZ

at all. If such access is not required, redesign the associated applications and

network so that PII information can be stored on an internal protected network.

• Verify the use of encryption for sensitive data throughout the enterprise, ensuring

specifically that PII is properly encrypted both in transit across the network and at

rest in databases and file systems.

Any questions regarding this report or the penetration test it describes should be directed

to John Smith, the technical lead of the project from PenTest, Inc., at

jsmith@pentestincorporated.tgt or 555-555-5555.

Sensitive: The information in this document is not to be disclosed outside of

Target Widgets, Inc. or PenTest, Inc. without prior written consent of both

organizations.

2. Introduction

At the request of Target Widgets’ security team, PenTest, Inc. performed a network

penetration test of the company’s Internet infrastructure from March 8 to March 22,

2009. The goal of the test was to determine whether an attacker on the Internet could

gain access to Personally Identifiable Information associated with Target Widgets

customers. The scope of the project focused on network penetration testing of accessible

services across the Internet. Client-side testing, web application manipulation, denial of

service, and social engineering were not included in the scope of the project