Vulnerability Assessments & Penetration Testing
“Capitalizing Time and Money in VAPT sometimes Neglected.. Highly Essential…!!!”
Having anti-virus software, firewalls installed and updated is not just enough to be relaxed that your organization’s data is protected. Its just a matter of time for being vulnerable for a cyber-attack. Regardless of size: small, medium or large and type ex: IT, Medical etc. every organization can be a victim for a data breach. Taking necessary security initiatives will help in putting your organization not at “RISK”.
One of the famous data breaches happen previously was Sony’s pictures hack.
“There was this horrible moment where I realized there was absolutely nothing at all that I could do.”
-Amy Pascal (formal CEO of Sony pictures)
On November 24, 2014 Sony pictures was hacked by a group of hackers, which ended up in a confidential data leak of company. Few pictures that were private and yet to be released by Sony was leaked. Timely detection and patch management of network vulnerability is always recommended for all organizations to prevent these types of exploits to occur.
“Risk is the product of impact and probability.”
To understand the patch management and security assessments let’s get an over view of What is vulnerability first and later about security assessments.
“Vulnerability can be explained as a weakness or a gap in a network” leading a path to the attack vectors through which an intruder can access the target or implement code which eventually leads to a data breach, so it is essential for every organization of any size to identify and patch the gap or weaknesses before they can be exploited. Depending on the type of the weaknesses in a network, it is classified into different types.
· Buffer overflow: The inputs from the users that are been given for an application to be processes needs to be stored in memory. The common memory storage spaces for many applications is stack and heap. The buffer overflow attacks generally occur by compromising either the stack, heap or sometimes both.
· Un-Validated input: while browsing or downloading or viewing a file from an untrusted source, one should be cautious as the input received need not necessarily be trustworthy, which leads to any malicious file downloads leading to a backdoor entry which makes the vulnerability to happen to the operating systems and more.
· Race conditions: This is a security vulnerability, the time delays or gaps taken while executing a program code can give a path way for an attacker to inject a malicious code into the program causing changes to the behavior of the program or task.
· Access control problems: Limiting or restricting the privileges for specific users for implanting tasks will help in reducing the data misusage, but not having proper security control access or failing in implementing a proper access control leads to a high possibility of attack.
· Architecture or a design weakness: Not having a proper secured design or infrastructural design architecture leads to a security attack.
“New technologies”- “New ways to get HACKED..!!!”
With an upsurge in number of companies adapting to the cloud technologies, there is a high opportunity for hackers to attack. Despite the public, private or hybrid type of cloud infrastructure the organization uses, they can be vulnerable. A vulnerability assessment helps in giving the information about how an organization or an environment can be exposed to an attack by implementing different types of scans.
Types of vulnerability assessments and Scans:
· Network-based scans: This scan is mainly used to know the possible flaws in a network, the network can be either of them wired and wireless.
· Host-based scans: This type of scan is used in detecting the gaps in hosts of the network or servers
· Wireless network scans: This scan helps in identifying the strength of an organizations network security for all the wireless operated devices and networks. Helps in configuring the systems connections security
· Application scans: These type of scans helps in plotting the malicious web applications which lead to a chance of attack
· Database scans: This helps in knowing the gaps and weaken points in any database which eventually lead to the attack by the attackers.
· Intrusive and Non-Intrusive: Working on the target system directly for knowing the gaps in the system or its network to stop the attack is known as intrusive whereas collecting the target system or network information without involving directly with the system or network comes under non- intrusive.
· False positive: This happens when a scan mistakenly finds out a gap or weakness when it is not intended.
By having a vulnerability assessment done, one can be able to detect the known vulnerabilities in their networks, but to have an exploit not to happen, there is a requirement for getting the patch attached. This is achieved through a penetration test. Let’s get an overview about penetration testing which is also called pen test.
“A lawful mimicked attack on a computer system, which detects all the possible vulnerability attacks and exploitation phases in the system or network is called penetration testing.”
This type of authorized attacks falls into ethical hacking. In order to perform or conduct a pen test there are few requirements that must be specified
· Scope document describing what will be examined
· Permission to perform the test
· Skills to attack the resources minimizing the risk and damage
· A detail strategy of the test
· Necessary resources for leading the test
Penetration testing involves seven stages, these stages together are defined in PTES. The seven stages are explained as:
· Pre-engagement interactions: It is also called as scope document, this is very important for the organization who is going through this pen test. The scope of the test specifically defines each aspect of the test and how the testers will be spending the time and steps that will be performed during the whole process.
· Intelligence gathering: This phase involves collecting as much as inform as possible regarding the target, so that it helps in actionable intelligence. The more information the more is the vector of attacks the tester will be having to use in the pent test.
· Threat Modeling: This phase describes the modeling approach used for executing the pent test, the model used in testing is not a standard model, instead varies depending upon the organizations threats and risks and prioritization.
· Vulnerability Analysis: It is a process of identifying the flaws or weaknesses in any system or network which can be leveraged by an intruder for an attack.
· Exploitation: The main objective of this phase is to bypass the security restrictions and getting an access to that system or network to have a well-planned strike in identifying the target assets.
· Post exploitation: The intention of executing this phase is to identify the targets assets and its compromise areas and potential gaps or weaknesses and to maintain a control of the system for later use. This is conducted with a rule of engagement, which is post-exploitation phase of a pent test is to ensure that the targets system or network is not a victim to any risks by the direct or indirect actions of the testers and to protect and work on a mutually agreed procedure during the execution.
· Reporting: This helps in having a detail note of what is done through out the pent test. While it is highly recommended to have ones own customized report format. A basic structure of the report is divided into two categories
· The executive summary: This part of the report will help in understanding the reader about the overall purpose of the test, it gives an oversight of the strategic vision of the security program along with the weaknesses which might lead to a threat to the organization. This is can be categorized into different types. Need not necessarily all the executive reports must have all the mentioned sections. The sections are named accordingly:
1. Background: This helps the reader in understanding the overall purpose of the test.
2. Overall Posture: This part will be a narrative of the general effectiveness of the test and the ability of the pen testers in accomplishing their tasks described in the Pre-engagement sessions.
3. Risk Ranking/Profile: The complete risk ranking, or profile will be defined and explained in this session
4. General Findings: This will provide a synopsis of the troubles or tasks found during the penetration test.
5. Recommendation Summary: This part contains a detail information of the tasks needed to solve for the risks that have been identified and classified during the test.
6. Strategic Roadmap: They include a prioritized plan for remediation of the insecure items that are recognized during the whole process of the test.
· Technical report: This part of the test will help in explaining the technical details of the test and all the overall technical issues that are identified. This part contains the details of
1. Scope
2. Information
3. Attack path
4. Impact
5. Remediation suggestions
They are types in conducting a penetration testing, depending upon the organization needs and priorities of the test that will be conducted -
· Black Box: The tester has no knowledge about the system or network and functions same as an attacker who is an outsider.
· White Box: The tester has enough knowledge about the system or network he needs to work on and simulates the attack as an insider of the organization or environment.
· Gray Box: The tester has a very limited knowledge of the environment or the system he is attacking.
Now, the next question that arises is how often an organization needs these assessment’s to be conducted?
Ideally the penetration testing must be done every year by all the organizations to have a proper network security and depending how big the organization is the period of conducting the test will vary. It is also recommended that when ever an organization has undergone few changes in its environment. Such as
· Addition of new network infrastructure or any application
· Any upgrades to the existing software applications or infrastructure
· New branch openings
· Modifying end-user policies or security patches.
It is very important to have a pen test done. By having these security assessments done, an organization can be less prone for a cyber-attack.
References:
https://searchsoftwarequality.techtarget.com/definition/penetration-testing
http://www.pentest-standard.org/index.php/Main_Page
https://www.incapsula.com/web-application-security/penetration-testing.html
https://en.wikipedia.org/wiki/Penetration_test
https://en.wikipedia.org/wiki/Vulnerability_assessment
https://www.techopedia.com/definition/16525/vulnerability-assessment
https://searchsecurity.techtarget.com/definition/vulnerability-assessment-vulnerability-analysis
https://www.cybrary.it/video/cybrary1-4-penetration-testing/
https://searchsecurity.techtarget.com/definition/vulnerability-assessment-vulnerability-analysis
