Vulnerability Assessment

1.Introduction

It is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.

The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient and which defenses (if any) were defeated in the penetration test.

2.What is penetration testing?

A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficiency of defensive mechanisms, as well as end-user’s adherence to security policies.

Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.

3.How Often Should You Perform Penetration Testing?

Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers.

In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

4.Benefits of Penetration Testing:

  • Intelligently manage vulnerabilities
  • Avoid the cost of network downtime
  • Meet regulatory requirements and avoid fines
  • Preserve corporate image and customer loyalty

5.Why Penetration testing?

  • Financial data must be secured while transferring between different systems
  • Many clients are asking for pen testing as part of the software release cycle
  • To secure user data
  • To find security vulnerabilities in an application

6.Penetration Testing Types:

6.1. Social Engineering:

Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt. Example of these standards include not to mention any sensitive information in email or phone communication. Security audits can be conducted to identify and correct process flaws.

6.2. Application Security Testing:

Using software methods one can verify if the system is exposed to security vulnerabilities.

6.3. Physical Penetration Test:

Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.

7.Pen Testing Techniques:

  • Manual penetration test
  • Using automated penetration test tools
  • Combination of both manual and automated process
  • The third process is more common to identify all kinds of vulnerabilities

8 Penetration Testing Tools:

Automated tools can be used to identify some standard vulnerability present in an application. Pentest tools scan code to check if there is malicious code present which can lead to potential security breach. Pentest tools can verify security loopholes present in the system like data encryption techniques and hard coded values like user name and password.

8.1. Criteria to select the best penetration testing tool :

  • It should be easy to deploy, configure and use
  • It should scan your system easily
  • It should categorize vulnerabilities based on severity that needs immediate fix
  • It should be able to automate verification of vulnerabilities
  • It should generate detailed vulnerability reports and logs

9.Pen Testing Standards:

PCI DSS (Payment Card Industry Data Security Standard), OWASP (Open Web Application Security Project), ISO/IEC 27002, OSSTMM (The Open Source Security Testing Methodology Manual).

10.Pen test strategies include:

10.1.Targeted testing

Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.

10.2.External testing

This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.

10.3.Internal testing

This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.

10.4.Blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

10.5.Double blind testing

A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.

11.Penetration testing Services:

11.2 Infrastructure pen testing:

This is a straightforward opportunity and a mature offering. The biggest question you’ll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer’s networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.

11.2 Infrastructure pen testing:

This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You’ll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses — that’s what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer’s defenses.

11.3Application pen testing:

Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP’s WebInspect, IBM’s AppScan), but you should also invest in some people that know how to exploit application logic errors. There’s no substitute for a skilled application tester to determine what’s broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It’s much better for you to figure this out than a malicious hacker.

11.4 User testing:

This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don’t have a set of rules. They use social engineering because it works. Don’t let social engineering surprise your customer and catch them off-guard.

12.Penetration testing offerings:

12.1 Vulnerability scanning:

This is a straightforward opportunity and a mature offering. The biggest question you’ll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer’s networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.

12.2 Infrastructure pen testing:

This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You’ll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses — that’s what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer’s defenses.

12.3 Application pen testing:

Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP’s WebInspect, IBM’s AppScan), but you should also invest in some people that know how to exploit application logic errors. There’s no substitute for a skilled application tester to determine what’s broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It’s much better for you to figure this out than a malicious hacker.

12.4 User testing:

This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don’t have a set of rules. They use social engineering because it works. Don’t let social engineering surprise your customer and catch them off-guard.

For further assistance, contact us at info@agniinfo.com.

© Copyright 2024 Agni Information Systems (P) Ltd.

Top