VULNERABILITY ASSESSMENTS AND PENETRATION TESTING

15 Slides534.31 KB

VULNERABILITY ASSESSMENTS AND PENETRATION TESTING

Introduction: This presentation will be used to illustrate the points of performing vulnerability assessments and penetration testing. Topics for discussion will be: Differences between a vulnerability assessment and penetration testing Vulnerability assessment steps Internal vulnerability risk assessment Third-party assessment steps

Vulnerability Assessment and Penetration Testing Differences: Vulnerability Assessment: Is a security process performed to identify all vulnerabilities present on a network. Scanning can be performed by a different array of tools. During the testing procedure the vulnerability data per scanned device will be collected. Once all vulnerabilities are identified the data is compiled into a list of specific priorities for review and remediation. Other characteristics of a vulnerability assessment are listed below: Provides vulnerability information such as type, threat value and possibly remediation resources Cost less than penetration testing due to effort of work involved, requiring different testing resources and/or third party personnel to perform penetration testing Takes less time to perform than penetration testing due to the testing process Test patching and remediation efforts to ensure vulnerabilities are eliminated or new ones haven't appeared due to patching or changes.

Vulnerability Assessment and Penetration Testing Differences: Penetration Testing: Is a method of evaluating the security baseline of a network by simulating a network attack. When a penetration test (also known as pen-test) is performed all resources internal and external are subject to testing with the goal of gaining access. Other characteristics of penetration testing is listed below: Requires information gathering about network resources (whois, dns, web research, social engineering, etc.) Detect what resources are vulnerable to attack and attempt to gain access Verify that a system is truly is vulnerable from the information provided during a vulnerability assessment If significant time is available penetration testing can be used to expose weaknesses and takes more time to conduct than a vulnerability assessment Better conducted by third-party to provide accurate view of security posture

Vulnerability Assessment Steps: A vulnerability assessment in the following sequence of steps: 1)Create a clearly written scope of work and obtain all permission to perform work in scope Scope must contain work plan along with date and time window of occurrence All written approvals must be signed by someone of authority for the customer 2) Create a plan that includes target systems Target list will include all servers, network devices, other resources and IP subnets 3) Ensure scanning tool is ready to perform task Tool must have latest signatures to ensure accurate scanning Test against a device to ensure tools are working properly to prevent any rescanning

Vulnerability Assessment Steps (Continued): 4) Team review of findings Weed out any false positives and other false data 5) Compile report for management with vulnerability listed per resource, threat value and any remediation assistance. 6) Start the remediation process to close vulnerabilities

Internal Vulnerability Assessment Risk: When performing an internal vulnerability assessment there are certain risks that must be noted such as: Network outages- If a person conducting a test is not experienced to perform the test incorrectly or possibly by no fault of the tester may cause a network outage due to the target resource being overwhelmed. Sometimes outage can just happen by mere coincidence and you’re at the wrong place at the wrong time. It’s best to be prepared. Possible interruptions to other networks- While performing scans service interruptions may be inadvertently done to business partners or other third party systems that connect to the organizations network.

Third-Party Vulnerability Assessment Steps: Legal Issues and Ramifications: When performing security testing it is crucial to have all legal considerations handled before any work takes place. Also ensure that the scope of work along with clear list of targeted devices is created and all non-disclosure documents are signed by both parties. Any unclear information and misunderstanding can put the tester in jeopardy of criminal charges from violating laws such as: Cyber Security Enhancement Act of 2002 18 USC 1030- Fraud and Related Activity in Connection with Computers Last but not least, make sure all “external” network connections such as vendors and other third parties are clearly identified. Possible damages to networks which you are not contracted to test with may cause criminal or liability issues.

Third-Party Vulnerability Assessment Steps Continued): There are multiple steps taken by third-party personnel to conduct a vulnerability assessment. The sequence of steps are listed below: 1) Complete all legal documents (NDA, Permission to perform assessment, scope of work, etc.) 2) Compile a list of critical contacts such as: On-call personnel Management Senior management representative (work sponsor) 3) Compile a list of target systems to ensure everything is covered and results are accurate.

Third-Party Vulnerability Assessment Steps (Continued): 4) Perform scanning at scheduled time and date, while monitoring systems and making customer contact in the event something doest go as planned or causes an outage. 5) Verify with customer all systems are fully operational and functional after scan to not impact business operations. 6) Review results to ensure accuracy and remove any false positive or incorrect data 7) Compile reports for customer with related information such as description, threat value and remediation recommendations. 8) Review scan findings with customer to ensure the vulnerabilities are clearly communicated.

Reason for Testing to be Outsourced: In many organizations the question of whether to perform certain security services in-house or outsourced is raised daily. Below are some of the reasons to perform outsourced testing: Cost- The cost of employing a small security team will cost more than the benefit it provides to the organization. Since vulnerability scanning and penetration testing is performed periodically local personnel could be trained to handle the daily security monitoring. The expense of training current personnel would be minimal as compared to hiring fully trained personnel.

Reason for Testing to be Outsourced (Continued): Experience- Outsourcers who perform this service daily obtain great experience in conducting the tests. They have the knowledge and experience to recognized false positives or other incorrect data that will produce a more accurate security baseline and provide the proper data to remediate the security problems. Non-biased- Outsourcers have stake in providing the most accurate information and will not cover any underlying problems. They will provide an unbiased opinion based on knowledge and experience. Internal personnel may overlook items that are security issues within their responsibilities or simply not focused due to other job responsibilities.

Reason for Testing to be Outsourced (Continued): Cost of tools and other required items- The expense of purchasing and maintaining some testing tools and other required items can be quite costly for a small organization. Outsourcing relies on the vendors to have these tools to perform the task requested. Remediation assistance- Vendors would be able to assist with remediation effort while the onsite staff is conducting daily business activities. Regulatory requirements- In regards to certain regulatory requirements high risk items may need to be subjected to independent testing and auditing. If the organization fits into a regulatory requirement outsourcing would be necessary.

Closing: In today’s world security risk are constantly evolving and preventative measure are required to lower the organization’s risk. The practice of performing periodic vulnerability and penetration testing will greatly assist in recognizing security issues before they are exploited by an attacker. Even if an attack occurs the team would be better prepared to handle the situation through previous testing and remediation efforts.

Presentation Created By: Phillip Neil Borne [email protected]

Back to top button