Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration Testing Concepts Active Reconnaissance n A penetration test (or pen test) simulates an attack from a malicious outsider n The goal of a pen test is to determine if an attacker can bypass your security and access your systems n Unlike a vulnerability assessment, which typically just catalogs vulnerabilities, a pen test attempts to exploit vulnerabilities n It focuses on the most commonly employed threat vectors n Reconnaissance is the first step of performing a pen test n The objective of reconnaissance is to obtain an understanding of the system and its components that attackers may want to attack n Active reconnaissance testing involves tools that actually interact with the network and systems n Can provide a lot of useful information, but may alert defenders to the impending attack 3 4 CIS 3500 1
Passive Reconnaissance Active vs. Passive Tools n Passive reconnaissance is the use of tools that do not Active tools modify or send traffic provide information to the network or systems under investigation n Information obtained via search engines such as Shodan n Information gathering without the actual sending of packets to a system n Company announces the upgrade or adoption of a particular software package via a PR release Passive tools receive traffic only 5 6 Pivot Initial Exploitation n Pivoting is a key method used by a pen tester or attacker to move across a network n The first step is the attacker obtaining a presence on a machine n Then remotely examine the network to see sections of networks that were not observable from their previous position n It is not easy to do n Exploiting the vulnerabilities encountered serves two purposes n it demonstrates the level of risk that is actually present n it demonstrates the viability of the mechanism of the attack vector n The initial exploitation is intended to demonstrate only that a vulnerability is present and exploitable n One key element to remember is that all activities on a system occur using a compromised account 7 8 CIS 3500 2
Persistence Escalation of Privilege n Persistence is one of the key elements of a whole class of attacks referred to as advanced persistent threats (APTs) n APTs place two elements at the forefront of all activity: invisibility from defenders and persistence n APT actors tend to be very patient and use techniques that make it very difficult to remove them once they have n Escalation of privilege is the movement from a lower-level account to an account that enables root-level activity n Attacker uses a normal user account to exploit a vulnerability on a process that is operating at root n With root access, things like log changes and other changes are possible gained a foothold 9 10 Black Box White Box n Black box testing is a software-testing technique n Testers using black box techniques typically have no knowledge of the internal workings of the software n They have no visibility into how the data is processed inside the application n Web-based applications are typically subjected to a barrage of valid, invalid, malformed, and malicious input n White box testing is looking at the internal structures and processing within an application for bugs, vulnerabilities n A white box tester will have detailed knowledge of the application n Network assessments where the tester will have detailed knowledge of the network, including but not limited to IP addresses, network routes, valid user credentials etc. n Black box testing can also be applied to networks or systems 11 12 CIS 3500 3
Gray Box Pen Testing vs. Vulnerability Scanning n In gray box testing the testers typically have some knowledge of the software, network, or systems n Vulnerability scanning is the scanning of a system for vulnerabilities, whether they are exploitable or not n Penetration testing is the examination of a system for vulnerabilities that can be exploited n The key is exploitation 13 14 Vulnerability Scanning Concepts Passively Test Security Controls n Vulnerability scanning is the process of examining systems and network devices for holes, weaknesses, and issues and finding them before a potential attacker does n Tools called vulnerability scanners n Most organizations look at vulnerability scanning as an n Passive testing target is the system, not the controls n If the security controls are effective, then the vulnerability scan may not properly identify the vulnerability n If the security control prevents a vulnerability from being attacked, then it may not be exploitable ongoing process 15 16 CIS 3500 4
Identify Vulnerability Identify Lack of Security Controls n If the scanner finds a vulnerability in a system, it makes a log of the fact n In the end, an enumeration of the vulnerabilities that were discovered is part of the vulnerability analysis report n If a vulnerability is exposed then a security control is needed to prevent the vulnerability from being exploited n Part of the function of the vulnerability scan is to learn where controls are missing or are ineffective 17 18 Identify Common Misconfigurations Intrusive vs. Non-intrusive n Common misconfigurations include access control failures and failure to protect configuration parameters n Vulnerability scanners can be programmed to test for these specific conditions and report on them n One method is to perform a test is an intrusive test that changes the state of the system n If the scanner does not directly interact with the specific vulnerability that is a non-intrusive method n It can be significantly less accurate in the actual determination of a vulnerability 19 20 CIS 3500 5
Credentialed vs. Non-credentialed False Positive n Credentialed scans will be more accurate in determining whether the vulnerabilities exist, as they are not encumbered by access controls n Non-credentialed scans demonstrate what the system may be vulnerable to against an outside attacker n A false positive is an incorrect finding the scanner tells you there is a problem when in reality nothing is wrong n A false negative is when the scanner fails to report a vulnerability that actually does exist the scanner simply missed the problem or didn t report it as a problem n Which one is more dangerous? n Why do we not to work on both? 21 22 There is no 100 percent secure system, and there is nothing that is foolproof! Stay Alert! CIS 3500 6