Let's first have a look at the definition of some terms:
• Risk — threats × vulnerabilities × consequences
• Threat — something or someone that can take advantage of vulnerabilities
• Vulnerability — the absence of safeguard (vulnerabilities may be the result of poorly or improperly configured systems, known or unknown hardware or software flaws, or operational weaknesses in processes or technical countermeasures).
• Consequence — damage that occurs because the threat took advantage of the vulnerability
• Risk Assessment — identify assets, threats and vulnerabilities
• Risk Analysis — a value of potential risk
• Vulnerability assessments — identify weaknesses
• Penetration testing — exploits weaknesses
In order to evaluate the organization’s security posture; the following steps should be performed:
• Conduct vulnerability assessments.
• Analyze collected information to identify vulnerabilities and potential for exploitation.
• Conduct authorized penetration tests to evaluate the organization’s security posture.
• Analyze and report the results of a penetration test and make mitigation recommendations.
The difference between Vulnerability Assessment and Penetration Testing
Vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability assessment is normally defined as:
• The process of identifying and quantifying security vulnerabilities in an environment.
• A process that defines, identifies and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
• The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
Vulnerability assessments follow these general steps:
• Catalog assets and resources in a system
• Assign quantifiable value and importance to the resources
• Identify the security vulnerabilities or potential threats to each resource
• Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
Vulnerability assessments can use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that exposes the organization to security risks. Penetration testing could follow the vulnerability assessment to further verify that the vulnerability is exploitable.
The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit if discovered. It is a component of a full security audit. Penetration tests use active tools and security utilities to evaluate security by simulating an attack on a system. A penetration test will verify that a threat exists, then will actively test and bypass security controls, and finally will exploit vulnerabilities in the system.
The Penetration Testing scope should include:
• Determine the possibility of success of attack vectors.
• Identify vulnerabilities.
• Determine the impact on the business if an attack was successful.
• Test the ability of security controls to successfully detect and defend the attack.
• Provide evidence to support increased investments in security personnel and technology.
In a given environment, there should be a security policy in place, and a security audit to review the configuration of security controls, if they are configured correctly to match the policy, for example, hardware configuration, software configuration, default settings, permissions given to users, etc.
A vulnerability assessment is an evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system. Essentially, the vulnerability assessment determines if the current configuration matches the ideal configuration.
The vulnerability assessment can help identify possible attack vectors and determine whether they have been exploited. Risk assessment depends heavily on vulnerability assessment; It cannot be done without first identifying the vulnerabilities on a system.
The vulnerability assessment process should be performed:
• When you first deploy new or updated systems.
• New vulnerabilities have been identified.
• A security breach occurs.
• When you need to document the security state of systems.
The vulnerability assessment considers the potential impact of loss from a successful attack as well as the vulnerability of the asset to an attack. A key component of the vulnerability assessment is properly defining the ratings for the impact of loss and vulnerability.
Vulnerability assessments should be done on a regular basis to identify new vulnerabilities. This assessment looks at a specific control or compliance issue.
The vulnerability assessment process consists of the following steps:
• Collect a predetermined set of a target.
• Store the collected sample for reference.
• Organize the data to prepare it for analysis and comparison.
• Analyze and document the differences between the current configuration and the baseline.
• Report on the results.
The first step of vulnerability assessment is usually a light discovery of the systems that need to be assessed, such as identifying what services are running on the target system, which version and which firmware version. This information is enough to highlight the system as vulnerable or not. For example, if we are running a server with an old firmware known to be vulnerable, there is no need to further continue in the assessment as this system is definitely vulnerable and exploitable.
After running the first discovery, we can move to a vulnerability scan. There are many tools that can be used to accomplish a vulnerability scan such as Nessus, Nexpose, GFI, etc. These tools try to match conditions found on the target system with known vulnerabilities. They don’t find new vulnerabilities; rather, they count on a database to identify the existence of certain weaknesses.
This stage does not verify or try to exploit the vulnerability; it just lists and ranks the identified weaknesses. It is possible to see false positive results at this stage, which is why we need to continue the vulnerability assessment. The scan can be run with supplemented credentials to reduce the false positive results.
Vulnerability scans may be credentialed in that they implement credentials to ascertain vulnerabilities at the highest privilege levels, or they may be non-credentialed, meaning they run without credentials to see what a hacker would see at a lower level.
While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus in order to think like an attacker who doesn't have administrative access. This can also save time and resources, both of which may be more costly in a credentialed scan.
The last stage, which is the actual vulnerability assessment, depends on discovery and scans initiated in the earlier stages. This phase tries to verify the vulnerabilities found, and this process is automated and done with little or no user interaction.
Depending on vulnerability assessment, penetration resting involves exploitation of identified vulnerabilities to gain further access. Using this approach we can understand the ability of an attacker to gain access to confidential information, affect data integrity, or availability of a service and the resultant impact.
Penetration Testing is an intentional attack (simulates a real attack ) on a system to discover security weaknesses left by either the security officer who designed the defence strategy or the security controls that are incapable to defend against a given threat.
Penetration testing is approached using a consistent and complete methodology in a way that allows the tester to use their skills, the output from a range of tools and their own knowledge of networking and systems to find threats that could not be identified by automated tools.
Penetration testing can be automated by using several tools. Although it’s not as accurate or professional as the manual test, it does save time and resources. Automated tests have less impact on the network resources and reduce the human mistakes that could damage a system, however, the main benefit of manual penetration testing is that skilled and expert security professionals are conducting it.
The Penetration testing process consists of the following steps:
• Discovery - Obtain the footprint and information about the target.
• Enumeration - Perform ports scans, OS finger, DNS zone transfer and resource identification.
• Vulnerability mapping - Identify vulnerabilities in systems and resources.
• Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities.
• Report - Report the results to management with suggested countermeasures.
The Penetration testing strategies include the following:
• External testing
• Internal testing
• Blind testing - Limited info to the Penetration Testing team
• Double-blind testing - No information to the internal security team
• Targeted testing - Both internal and penetration testing team aware
Penetration testing can be performed either externally or internally. The difference between external and internal testing is what to test. External testing aims to exploit identified vulnerabilities to check what information could be exposed to the outside world. Internal testing simulates what an insider attack could accomplish.
The targets are the same as external Penetration testing, but the difference is the attacker either has authorized access or is starting from a point within the internal network. Internal attacks have the potential of being much more devastating than the external attack because insiders already have the knowledge of which systems are important within a network and where it's located, something that external attackers don't usually know from the start.
Penetration testing implementation guidelines are:
• Uses a risk-based approach to determine the preferred scope, method and attack origin for the test.
• Perform at least annually, as well as after significant changes to the environment.
• Carefully plan and perform to avoid potential availability or integrity impacts.
• Sufficient safeguards are in place to minimize any operational impact.
• The outcome is documented and used as an input for the security update process.
The most important first step for a penetration test is getting permission (obtain documented legal authorization from the system's owner) to conduct the test. A penetration test is a continuous process and should be conducted regularly.
Remember, penetration testing is not complete without testing the human behaviour. Educating employees about security threats and cyber-attacks should not be considered a waste of money, but rather an investment in mitigating threats.
Third-Party Penetration Testing
Occasionally, organizations need to work with a third-party who will conduct penetration tests on their systems, rather than doing these tests in-house. The advantage of relying on a third-party comes from the fact that some attacks will be external and unpredictable, which is not necessarily something you can replicate yourself. It is organization responsibility to keep this third-party grounded and following a strict Rules of Engagement (ROE), it provides the pen tester with guidelines. ROE defines how a pen test will be executed, and what constraints will be in place.
In this case, the organization must ensure that third-party:
• Agreed to a well-defined scope with the relevant constraints.
• Carefully document their approach to pen testing.
• Carry liability insurance.
• Provide the credentials and professional experience of all their personnel.
• Keep track of all their testing actions in a log that can be analyzed.
• Provide well-written reports at the end of the test.
Penetration Testing Considerations
The following are factors must be taken into consideration prior to conducting a penetration test:
• Will the pen test be performed internally or by an external vendor?
• If using an external tester, do they come highly recommended or are they unknown?
• Will the test be conducted in secret or will it be public knowledge?
• Will the test focus on breaking into the system or searching for multiple vulnerabilities?
• Is there a wireless local area network that needs to be included in the test?
• How secure are the physical premises?
• Is there a security awareness program in effect?
• Is social engineering allowed?
• Do employees access the corporate network using a virtual private network?
• Are there clear boundaries for protecting sensitive information during the test?
• Does a written Rule of Engagement (ROE) document exist?
• Will the information security department be involved in the test?
• Have the stakeholders been identified?
Penetration Testing is one type of security assessment where security policy creation, risk identification, vulnerability scan, vulnerability assessment, security audit and penetration testing are effectively used together to give the best result in order to secure an environment.