VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: 000205600
What is Penetration A penetration test, is a method of evaluating the security of a computer system or network by simulating an attack as a hacker or cracker with the intent of breaking through the network with the purpose of indentifying the possible inroad to penetrate into the networks by a malicious source, the business impact such successful exploit have, and proffered a remediation strategy if such weakness and exposure or vulnerability is exploited or occurs.
What is Vulnerability Assessment Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. It is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise. The concern is not only he consequences on the object itself but also the impact on the surrounding environment and associates; and the possibilities of reducing such consequences and of improving the capacity to manage future incidents.
Differences between Penetration Test And Vulnerability Assessment Vulnerability Assessment is passive and non-intrusive whereas penetration test is active i.e. an interaction with system or network A Vulnerability Analysis works to improve security posture and develop a more mature, integrated security program, where as a Penetration Testing is only a exposure of the security program s effectiveness. A Vulnerability Analysis addresses the present Vulnerabilities and fix for them whereas Penetration Testing deals with how any external attacker or internal intruder can break-in and what they can attain.
Vulnerability Analysis deals with potential risks, whereas Penetration Testing is actual proof of the risk. Vulnerability Analysis identifies and quantifies the security Vulnerabilities in a system whereas Penetration testing provides the validation of Security Vulnerabilities. A Vulnerability Analysis provides an overview of the weakness or flaw in a system while a Penetration Testing provide the impact analysis of the flaws and identifies the possible impact of the flaw on the underlying network, operating system, database etc.
Vulnerability Analysis Steps Information Gathering/Discovery: This is the reconnaissance step process to identify and determine the total number of systems and applications running on the that could be assessed. The info discovery is in two phases which are, Nonintrusive and semi-intrusive efforts. Nonintrusive efforts reflect the public gathering of information regarding the target; the target is unaware of these activities eg Using whois utility. Semi-intrusive efforts consist of none disruptive communications calls between the attacker and target in an effort by the attacker to gain further information regarding the target's systems; the target can detect this (Snedaker S. et al, 2007).
Enumeration Enumeration is the OS fingerprinting process used to determine the target operating system and the applications that reside on it. Port enumeration helps in mapping the vulnerabilities to their respective applications so that we can define and classify network or system resources. Using Nmap scanning facilities will suffice to enumerate the service in the each port of target systems (Snedaker S. et al, 2007). Detection Detection is the method used to determine whether a system or application is susceptible to attack (i.e., vulnerable). This step doesn't confirm that vulnerabilities exist; penetration tests do that. The detection process only reports the likelihood that vulnerabilities are present (Snedaker S. et al, 2007).
Mitigation Strategies Creation, Report Generation, and Support (Hindupur, 2009).
Risk Involved in Internal vulnerability Assessment During the assessment, there may be disruption to the network which may lead to an adverse effect on the organization. False positives as a result of the production of voluminous reports. These are vulnerabilities reported by scanning tools which do not actually exist. The automated vulnerability tools are prone to the generation of such result. False negative miss significant vulnerability: These are existing vulnerabilities but it evades the scanning tools and they could not report or flag up their presence (Heymann E., Cesar E., Kupsch J., & Miller B., 2009).
It requires interaction from IT staff and may require limited input from end users (Dirsec n.d.). There is a risk of system malfunctioning after the assessment, which may be as a result of the automated Vulnerability Assessment tools used during the test. Some hidden files or process (backdoor) planted by other disgruntle, selfish, administrators running for whatever purposes when discovered may cause opposition from them and may even disparage the result of the assessment. Some scanners will take a longer time than expected to complete hosts in their queue as they are delayed waiting on slow hosts, while other scanners may experience fewer problems and complete their queues more quickly. This leads to a situation where some scanners are idle, while others are yet to complete their queue, thus reducing the overall efficiency of the system. Reporting critical vulnerabilities to appropriate personnel is time sensitive, so these delays need to be minimized
Steps to be Taken in Conducting a Vulnerability Assessment Test with a Third Party Asset Inventory Indentifying, Defining and Classifying Network or System Resources Assigning Relative levels of Importance to the Resources
Statement of Work (SOW) This is very important to bring to limelight, what will make up the contractual agreement for engagement. It comprises of but not limited to: Description of the Project Boundaries and Limitations Cost implication Identification of Deliverables
Search for a Reputable Security Management Firm: Does the firm a track record of successful and reliable assessment in the past? Who make up their assessment Team (Formal black hacker?) Do they have IT indemnity Insurance? Policy Compliance Does the third-party network auditing, assessment, and reporting meets the compliance needs of: - HIPAA - GLBA, SB 1386, Sarbanes-Oxley and others - Automated Self-Service Payment Card Industry (PCI) compliance certification
Engagement and Contractual Agreement Meeting Statement of Parties to the Contractual Agreement Authority of Signatories to the Contractual Agreement Indemnification, Hold Harmless, and Duty to Defend Non-disclosure and Secrecy Agreements Crisis Management and Public Communications
Contractual Agreement and Engagement Rules of engagement (SOW) Agreement. Methodology overview Criticality of information Timeline of Events Letter of authorization
References Snedaker S. et al (2007) Vulnerability Assessment 101 - The Best Damn IT Security Management Book Period. Retrieved from http://mmlviewer.books24x7.com/book/id_25442/viewer.asp?bookid=25442&chunkid=728689526 SANS Institute (2003) Vulnerability Management: Tools, Challenges and Best Practices Retrieved from http://www.sans.org/reading_room/whitepapers/threats/vulnerability-management-tools-challenges-practices_1267 Rvasi Ethical Hacking Solution (n.d.) Internal Vulnerability Scan Retrieved from http://www.rvasi.com/services/inscan Heymann E., Cesar E., Kupsch J., & Miller B. (September, 2009). Vulnerability Assessment for Middleware. Retrieved from https://www.cs.wisc.edu/mist/presentations/heymann-egee-09.pdf QualysGuard Express data sheet (January, 2009) THE EASIEST WAY TO ELIMINATE VULNERABILITIES AND ENSURE COMPLIANCE. Retrieved from http://www.securityassessment.com/files/documents/vulnerability%20assessment_qualysguard%20express.pdf Baker III, G. K. (n.d.) A Vulnerability Assessment Methodology for Critical Infrastructure Facilities Retrieved from http://www.jmu.edu/iiia/webdocs/reports/facility%20assessment%2005-07.pdf Hindupur, U. (August 2009) What is the difference between Vulnerability Assessment and Penetration Testing? Retrieved from http://www.ivizsecurity.com/blog/penetration-testing/difference-vulnerability-penetration-testing Vulnerability Assessment (April 2006). Vulnerability Vs Penetration Retrieved from http://www.darknet.org.uk/2006/04/penetrationtesting-vs-vulnerability-assessment/
Thank You