Professional Documents
Culture Documents
BANCO PICHINCHA Kaspersky - Threat Modelling - Proposal NOV 2017
BANCO PICHINCHA Kaspersky - Threat Modelling - Proposal NOV 2017
BANCO PICHINCHA Kaspersky - Threat Modelling - Proposal NOV 2017
May 2017
Table of Contents
Knowing about the weakest spots and having recommendations from Kaspersky Lab will allow
you to improve security controls and avoid possible negative impact on system from
cybercriminal attacks or insiders.
Kaspersky Threat Intelligence Reporting has no impact on the integrity and availability of the
network resources being inspected. The service is based on non-intrusive network
reconnaissance methods, and analysis of information available in open sources and resources
of limited access.
Knowledge of security flaws and recommendations from Kaspersky Lab will allow you to fix
vulnerabilities and avoid possible negative impact on the IT infrastructure from hacker attacks
or insiders.
The analysis is performed using automated tools and manually by experts. The following
security assessment tools will be used:
Information gathering tools (Maltego, theHarvester and others)
Various general-purpose and specialized scanners (NMap, MaxPatrol, Nessus, Acunetics
WVS, nbtscan and others)
Complex security assessment solutions (Kali Linux)
Credentials guessing tools (Hydra, ncrack, Bruter, and others)
Specialized solutions for web application security assessment (OWASP dirbuster,
BurpSuite, ProxyStrike, various plug-ins for Mozilla Firefox)
Network traffic analyzers (Wireshark, Cain and Abel)
Credentials extraction and management tools (Mimikatz, WCE, pwdump and others)
Specialized tools for various types of attacks (Yersinia, Loki, Responder, SIPVicious and
others)
And others, including limited access exploits and custom exploitation tools developed by
the Service Provider
Upon request of the Customer, full results of Threat Intelligence could be used for Penetration
Testing (for example, found compromised accounts could be included into dictionaries for
credentials guessing attacks).
By following the approach described above the Service Provider will be able to reveal the
following types of vulnerabilities:
Vulnerable network architecture, insufficient network protection
Vulnerabilities leading to network traffic interception and redirection
Insufficient authentication and authorization in various services
Weak user credentials
Configuration flaws, including excessive user privileges
For penetration testing to be legal and safe, the Customer shall provide a point of contact (a
representative) for all communications on the project, including scope negotiations, resolving
access issues, as well as providing confirmations for active works. The representative must
be an official Customer’s employee using an e-mail address belonging to the Customer’s
domain name (not a third-party intermediary).
The application security assessment service by Kaspersky Lab will allow you to get
information about various vulnerabilities existing in your applications and plan further actions
to mitigate the corresponding security risks. Our experts will use their practical experience and
international best practices to detect security flaws leading to such threats as:
Obtaining unauthorized access to the application or its backend components, including
an ability to get confidential data, modify information, or perform various fraud actions
Performing attacks against application clients and obtaining access to the application
under their accounts
Obtaining important information to plan further attacks
Knowing about security flaws and having recommendations from Kaspersky Lab will allow you
to fix the vulnerabilities and avoid possible negative impact on the applications from hacker
attacks or insiders.
For application security assessment our experts will use black-box approach:
Black-box – assessment without user credentials to reveal vulnerabilities available for an
external attacker without any privileges.
The analysis is performed both using automated tools and manually by experts. The following
main security assessment tools will be used:
Various general-purpose and specialized application scanners (Nessus, Acunetics WVS,
NMap, and others)
Threat Modelling
Pasos a seguir durante la consultoría:
- Identificar objetivos de seguridad
- Examinar los servicios críticos ligados al core de la organización.
- Descomponer la cadena de servicios
- Identificar las amenazas y los diferentes actores y/o posibles actores
- Identificar Vulnerabilidades y falencias en el sistema de seguridad.
- Ejecutar un Ethical Hacking a profundidad para identificar
- Ejecutar un análisis de inteligencia profundo de los sistemas especializados y las
bases de datos de Kaspersky Lab.
- En un proceso de entrevistas al personal clave de la organización definiremos el
objetivo de la empresa alineado con los objetivos de seguridad. La visión de la
organización debe estar alineado a la estrategia de seguridad de la información,
apoyada con servicios de inteligencia de amenazas, ciberseguridad y
ciberinteligencia.
Potenciado por esta visión única, puede enfocar su estrategia de defensa en áreas
identificadas como los principales objetivos de los Ciberdelincuentes, actuando con
rapidez y precisión para repeler a los intrusos y minimizar el riesgo de un ataque
exitoso.
Con el uso de IOCs, Reglas YARA y el personal del equipo de investigación y análisis
de Kaspersky Lab se realizará un escaneo exhaustivo en toda la red, con la finalidad
de verificar posibles equipos, servidores, controladores de dominio, comprometidos.
Approach
The confidentiality, integrity and availability of your IR resources are our top priority.
Kaspersky Lab’s experts will take all necessary precautions to avoid any harm to your
environment. All sensitive technical information related to the project (important data,
credentials, assessment results, etc.) will be stored and transferred using strong encryption,
and can be deleted upon your request after project completion.
The project team members are experienced professionals in security assessment with
deep knowledge of this field and are constantly improving their skills (see section 9 for
description of the project team).
As a result of the Penetration Testing service, BANCO PICHINCHA will obtain a report
containing the following:
Conclusions on the current security posture of the analyzed resources (including
description of possible threats)
Description of the project scope
Description of the methodologies and tools used
Description of the vulnerabilities found, information about their severity levels, exploitation
conditions and complexity, and related impact
Demonstration of vulnerability exploitation (for the most critical vulnerabilities)
Recommendations on the elimination of vulnerabilities or implementation of compensating
controls
A resulting list of detected vulnerabilities and corresponding recommendations
By following the approach described above Kaspersky Lab will be able to reveal the following
types of vulnerabilities in your applications:
Absent or insufficient authentication and authorization
Code injection (SQL Injection, OS Commanding, etc.)
Vulnerabilities in the applications’ logic, which could be used for fraud
Mistakes in the implementation of application functions available to a user
Vulnerabilities leading to direct access to system objects (Path Traversal, etc.)
Client-side vulnerabilities (Cross-Site Scripting, Cross-Site Request Forgery, etc.)
Insecure data storage, including lack of encryption
Insufficient entropy of important parameters, such as session identifiers or one-time
passwords, leading to possible guessing by an attacker
As a result of the project the Customer will obtain a report (BANCO PICHINCHA Application
Security Assessment Report”) containing the following:
Conclusions on the current security posture of the analyzed applications (including
description of possible threats)
Description of the project scope
Description of the methodologies and tools used
Description of the found vulnerabilities, information about their severity levels, exploitation
conditions and complexity, and related impact
Demonstration of vulnerabilities exploitation (for the most critical ones)
Recommendations on elimination of vulnerabilities or implementing compensative controls
A resulting list of detected vulnerabilities and corresponding recommendations for every
application
As a result, the Threat Modelling service by Kaspersky Lab provides you with an independent
assessment of the current IT infrastructure’s security posture and evaluates the effectiveness
of implemented security controls.
# Duration1,
Stage/work
business days
1 Threat Intelligence Reporting (performed independently from
penetration testing)
2 External penetration testing
2.1 External penetration testing (with social engineering)
2.2 External penetration testing – Attack Development (in case of
successful penetration)
2.4 Internal penetration testing (remote via VPN)
2.5 Wireless security assessment in two locations in Bogot[a (optional,
performed simultaneously with internal penetration testing)
2.6 Penetration Testing Report preparation and negotiation
3 Threat Evaluation
Total:
1 The estimated project duration is preliminary and does not include time taken by the Customer’s actions (delays
in providing confirmations for activities, delays in providing or restoring access, delays in scope and report
negotiations, etc., see section 7 for Liability Limit). The project start date must be negotiated with the Service
Provider individually.
Actions which may lead to a denial of service shall be preliminarily negotiated with a Customer
representative. Such actions shall be conducted on condition of the onsite presence of a
Customer’s employee responsible for the project. If any hardware or software failures occur
during testing, the Service Provider shall inform the Customer about the incident and provide
advisory help in its elimination.
By agreeing to the execution of the work, the Customer accepts the risk of possible negative
consequences of the tests. Due to the fact that some tests completely simulate malicious
attacks, the Customer assumes the obligation to resolve potential disputes related to claims
by Internet service providers or any other legal entities and individuals against the Service
Provider.
The Customer is aware that during penetration testing, availability of services and applications
may be reduced and stored data may be partially modified. The Customer assumes a
commitment to settle potential problems arising in this connection, and shall not bring any
claims against the Service Provider for these reasons.
In the event of organizational or technical issues arise which hamper the testing process,
including ones caused by absent written confirmations from the Customer for certain activities
as requested by the Service Provider, and ones caused by prevention security systems (lack
of network access to the tested resources, blocking of the Service Provider’s IP addresses or
accounts etc.), the Customer shall resolve the issues in case if the problem is on the
Customer’s side. In such cases, the corresponding attack vectors are not considered during
further testing (if the problem is not solved within one business day), or the project schedule
and entire project duration are postponed for the duration of delay in communications or
access.
The Customer understands that the purpose of the penetration testing service is to bypass
security controls and obtain high privileges in important systems. Vulnerability identification
and exploitation are performed to the extent to achieve this goal. If at least one attack vector
used by the Service Provider leads to high privileges, the service goal is considered to be
achieved. When the attack vector is found, the search for other vulnerabilities (including those
that cannot be used for the purpose of further attack development within the scope of the
service) and attack vectors will only be performed if the Service Provider confirms the
availability of staff resources for these tests.
Utilizing the company’s advanced threat and malware research, analysis and investigation,
Kaspersky Lab has discovered some of the top advanced persistent threats:
Kaspersky Lab utilizes advanced threats analysis, forensics and investigation to help
enterprise customers protect their online services and reputation.
Learn more at www.kaspersky.com.