Transcript Vulnerability Testing

VULNERABILITY ASSESSMENTS
AND PENETRATION TESTING
Introduction:
This presentation will be used to illustrate the points of performing vulnerability assessments
and penetration testing.
Topics for discussion will be:
 Differences between a vulnerability assessment and penetration testing
 Vulnerability assessment steps
 Internal vulnerability risk assessment
 Third-party assessment steps
Vulnerability Assessment and Penetration Testing Differences:
Vulnerability Assessment: Is a security process performed to identify all vulnerabilities present on
a network. Scanning can be performed by a different array of tools. During the testing procedure the
vulnerability data per scanned device will be collected. Once all vulnerabilities are identified the data
is compiled into a list of specific priorities for review and remediation. Other characteristics of a
vulnerability assessment are listed below:
 Provides vulnerability information such as type, threat value and possibly remediation
resources
 Cost less than penetration testing due to effort of work involved, requiring different testing
resources and/or third party personnel to perform penetration testing
 Takes less time to perform than penetration testing due to the testing process
 Test patching and remediation efforts to ensure vulnerabilities are eliminated or new ones
haven't appeared due to patching or changes.
Vulnerability Assessment and Penetration Testing Differences:
Penetration Testing: Is a method of evaluating the security baseline of a network by simulating
a network attack. When a penetration test (also known as pen-test) is performed all resources
internal and external are subject to testing with the goal of gaining access. Other characteristics
of penetration testing is listed below:
 Requires information gathering about network resources (whois, dns, web research, social
engineering, etc.)
 Detect what resources are vulnerable to attack and attempt to gain access
 Verify that a system is truly is vulnerable from the information provided during a
vulnerability assessment
 If significant time is available penetration testing can be used to expose weaknesses and
takes more time to conduct than a vulnerability assessment
 Better conducted by third-party to provide accurate view of security posture
Vulnerability Assessment Steps:
A vulnerability assessment in the following sequence of steps:
1)Create a clearly written scope of work and obtain all permission to perform work in scope
 Scope must contain work plan along with date and time window of occurrence
 All written approvals must be signed by someone of authority for the customer
2) Create a plan that includes target systems
 Target list will include all servers, network devices, other resources and IP subnets
3) Ensure scanning tool is ready to perform task
 Tool must have latest signatures to ensure accurate scanning
 Test against a device to ensure tools are working properly to prevent any rescanning
Vulnerability Assessment Steps (Continued):
4) Team review of findings
 Weed out any false positives and other false data
5) Compile report for management with vulnerability listed per resource, threat value and any
remediation assistance.
6) Start the remediation process to close vulnerabilities
Internal Vulnerability Assessment Risk:
When performing an internal vulnerability assessment there are certain risks that must be
noted such as:
 Network outages- If a person conducting a test is not experienced to perform the test
incorrectly or possibly by no fault of the tester may cause a network outage due to the
target resource being overwhelmed. Sometimes outage can just happen by mere
coincidence and you’re at the wrong place at the wrong time. It’s best to be prepared.
 Possible interruptions to other networks- While performing scans service interruptions may
be inadvertently done to business partners or other third party systems that connect to the
organizations network.
Third-Party Vulnerability Assessment Steps:
Legal Issues and Ramifications: When performing security testing it is crucial to have all legal
considerations handled before any work takes place. Also ensure that the scope of work along with
clear list of targeted devices is created and all non-disclosure documents are signed by both parties.
Any unclear information and misunderstanding can put the tester in jeopardy of criminal charges
from violating laws such as:
 Cyber Security Enhancement Act of 2002
 18 USC 1030- Fraud and Related Activity in Connection with Computers
Last but not least, make sure all “external” network connections such as vendors and other third
parties are clearly identified. Possible damages to networks which you are not contracted to test
with may cause criminal or liability issues.
Third-Party Vulnerability Assessment Steps Continued):
There are multiple steps taken by third-party personnel to conduct a vulnerability assessment.
The sequence of steps are listed below:
1) Complete all legal documents (NDA, Permission to perform assessment, scope of work,
etc.)
2) Compile a list of critical contacts such as:
 On-call personnel
 Management
 Senior management representative (work sponsor)
3) Compile a list of target systems to ensure everything is covered and results are accurate.
Third-Party Vulnerability Assessment Steps (Continued):
4) Perform scanning at scheduled time and date, while monitoring systems and making
customer contact in the event something doest go as planned or causes an outage.
5) Verify with customer all systems are fully operational and functional after scan to not
impact business operations.
6) Review results to ensure accuracy and remove any false positive or incorrect data
7) Compile reports for customer with related information such as description, threat value
and remediation recommendations.
8) Review scan findings with customer to ensure the vulnerabilities are clearly
communicated.
Reason for Testing to be Outsourced:
In many organizations the question of whether to perform certain security services in-house or
outsourced is raised daily. Below are some of the reasons to perform outsourced testing:
 Cost- The cost of employing a small security team will cost more than the benefit it
provides to the organization. Since vulnerability scanning and penetration testing is
performed periodically local personnel could be trained to handle the daily security
monitoring. The expense of training current personnel would be minimal as compared to
hiring fully trained personnel.
Reason for Testing to be Outsourced (Continued):
 Experience- Outsourcers who perform this service daily obtain great experience in
conducting the tests. They have the knowledge and experience to recognized false
positives or other incorrect data that will produce a more accurate security baseline and
provide the proper data to remediate the security problems.
 Non-biased- Outsourcers have stake in providing the most accurate information and will
not cover any underlying problems. They will provide an unbiased opinion based on
knowledge and experience. Internal personnel may overlook items that are security
issues within their responsibilities or simply not focused due to other job responsibilities.
Reason for Testing to be Outsourced (Continued):
 Cost of tools and other required items- The expense of purchasing and maintaining some
testing tools and other required items can be quite costly for a small organization.
Outsourcing relies on the vendors to have these tools to perform the task requested.
 Remediation assistance- Vendors would be able to assist with remediation effort while
the onsite staff is conducting daily business activities.
 Regulatory requirements- In regards to certain regulatory requirements high risk items
may need to be subjected to independent testing and auditing. If the organization fits into
a regulatory requirement outsourcing would be necessary.
Closing:
In today’s world security risk are constantly evolving and preventative measure are required to
lower the organization’s risk. The practice of performing periodic vulnerability and penetration
testing will greatly assist in recognizing security issues before they are exploited by an attacker.
Even if an attack occurs the team would be better prepared to handle the situation through
previous testing and remediation efforts.
Presentation Created By:
Phillip Neil Borne
[email protected]