Part 1 – Overview of the topic of Vulnerability assessment and penetration testing was in this article.
What exactly can we do to identify vulnerabilities how to implement vulnerability assessment?
Security audit – Passive review
All of the below steps are relatively risk-free and do not cause any impact on the production systems. However, they are valuable as sources of information for the next steps of the assessment, or they could be ‘low hanging fruit’; easy to spot weaknesses.
Quick fixes to improve your security
- Documentation review is often missed during technical assessments, even though it is an essential part of the security audit. It provides an inside view of organisational cybersecurity posture and practices. Documents are reviewed for technical accuracy, adherence to the standards, and industry best practices. During the documentation review, the assessor may identify gaps which could cause the incorrect implementation of systems, security controls, or testing protocols. Subsequent penetration testing scenario plans can utilise results of this analysis . For example, the documentation review shows that there is a web server unprotected by the Intrusion Detection System; this server should be selected for further and more thorough tests.
- Review of logs and log management is a crucial building block of cybersecurity. It takes weeks, sometimes months, between a data breach and the time it is detected. At RedBlue we see all assessments as two-sided – the red team and the blue team. The red team is responsible for trying to find and exploit the weaknesses, and the blue team is responsible for the detection of those attempts. This way, we would review the customer’s ability to detect and identify an attack and data breach. We will always try to establish if the organisation can detect a maliciously acting employee or contractor. We check if the organisation can detect an ongoing attack performed by the external attacker. And for example, is the organisation validating login attempts, both successful and failed.
- Firewall and intrusion detection settings review will include validation of rules and rule management techniques from the security and performance point of view. This element compares the settings as described by the documentation and implemented in the systems. We are looking for obvious inefficiencies and weaknesses – like exposing unnecessary ports to the Internet and the enabling of unnecessary signatures within the intrusion detection system.
- System configuration review includes a review of the configuration of operating systems and applications. It allows identifying systems which haven’t been hardened, and where appropriate configuration changes haven’t been applied. This part of the assessment can be largely automated using relevant NIST SCAP and OVAL repository settings. Some compliance schemes like PCI DSS and FISMA may require certain configuration to be applied to the systems. Performing an automated scan can be very efficient and provide consistent, comparable results.
- Network sniffing – capturing of the network traffic and analysing packets may provide valuable information, particularly when done behind the firewall and the Intrusion Detection System. The captured traffic can reveal passive inventory of the systems and potential unencrypted usernames and passwords.
Security audit – Active discovery and analysis of the targets
This part of the security audit focuses on the technical identification of target systems within the scope. It includes its model, version, open ports, processes running, and comparing it with threat intelligence, including information about known vulnerabilities. Vulnerability scanning is largely automated, and it can be configured to either run continuously or be triggered by an event or at intervals. For example, monthly, at the end of end-user acceptance testing, after each compilation of new build, or before the new build has been shipped to the pre-production system. We often work with our customers to implement a continuously running vulnerability scan, with an appropriate alert about new discoveries like a new open port, or a new vulnerability discovered. There are several types of active discoveries which every business can conduct.
Types of active discoveries
- Network-based assessment is performed remotely and aim at the identification of ports and applications accessible from the network. Firstly a ‘black-box’ scan is performed where the assessor does not use any credentials — this simulates a scenario when malware or an attacker is trying to discover a network. Next, the ‘white box’ scan is performed, where the assessor uses various credentials agreed with the customer. An authenticated ‘white-box’ scan provides a larger amount of information about configuration, patch installation history, and processes running at the remote host.
- Wireless scan focuses on the assessment of the wireless network infrastructure only. The assessor reviews the encryption and authentication techniques used by the Wi-Fi network and establishes any vulnerabilities which may be present.
- Web application assessment – the first assessment focuses on checks related to OWASP TOP 10 web application vulnerabilities. It may conduct just a passive review of the entire HTTP session, identifying authentication and session handling. It may also conduct offensive tests related to the SQL injection or parameter pollution, and others, trying to validate sanitisation of input data by the application. We encourage customers to perform some form of passive assessment as part of the testing cycle. We also assess how likely your site can be used as a relay for the attack against other targets.