Chapter 1 Introduction To Vulnerability Assessment and Testing

Chapter 1: Introduction to
Vulnerability Assessment and

Penetration Testing
Ethical Hacking and Penetration Testing [1]
• Definition of a hacker by the NIST Computer Security
Resource Center (CSRC):
“Unauthorized user who attempts to or gains access to

an information system”
- Sun Tzu, The Art of War
• Ethical Hacking/Penetration Test vs Non-ethical Hacking
• Ethical Hacker/Penetration Tester
• who acts as an attacker and evaluates the security posture of a
computer network for the purpose of minimizing risk of cyber threats
• Report the findings to the vendor or customer – to make it more secure
• Non-ethical Hacker
• With malicious intent.
• Use the vulnerability found to gain unauthorized access to a target
network/system
• Discloses the vulnerability publicly without working with a vendor
which may lead to the compromise of networks/systems by others
Why do we need to do Penetration Testing?
• Find any possible paths of compromise before the malicious
hacker do.
• Check whether the defense-in-depth strategy (eg antivirus,
firewalls, intrusion prevention systems (IPSs), web application
firewall (WAF), VPN) is efficient and works to protect networks
and systems.
• Check whether the right data is protected.
• Re-evaluate the security posture if attack surface change as
networks and systems always change constantly.
• Threat Actors:
• Organized Crimes
• Consists of well-funded and motivated groups to use
any latest attack techniques (eg ransomware), for
monetary gain usually
• Hacktivists
• Not motivated by money, but to make a point or to
further their beliefs, utilizing cybercrime as their
method of attack
• Steal sensitive data and then revealing it to the public
to embarrass a target or to affect the target financially
• Threat Actors:
• State-sponsored attackers
• Employed by government to do research about
vulnerabilities, create exploits, perform cyber
attacks on other nations (cyber war and cyber
espionage)
• Insider Threats
• Threat that comes from inside an organization
• Employees who
• may be tricked to divulge sensitive information
• mistakenly click on malicious links that allow
attackers to gain access to their computers
• Motivated by revenge or money
• Threat Actors:
• Script Kiddie
• a person uneducated in hacking techniques who
simply makes use of freely available (but often
times outdated) tools and techniques on the
Internet.
Vulnerability Assessment VS Penetration Testing [2]
• Security assessments can be one of two types:
• Vulnerability Assessment
• scans and tests a system or network for existing vulnerabilities but does
not intentionally exploit any of them.
• uncover potential security holes in the system and report them to the
client for their action.
• It does not fix or patch vulnerabilities, nor does it exploit them. It only
points them out for the client’s benefit.
• Penetration Testing
• actively seeks to exploit vulnerabilities on target systems or networks.
• shows the potential consequences of a hacker breaking in through
unpatched vulnerabilities.
• carried out by highly skilled individuals according to an agreement
(including limitation, constraints) signed before testing begins.
Penetration Testing Methodologies [1]
Why do we need to follow a methodology for Penetration

Testing?
• To avoid scope creep (unexpected expansion of scope, which
may affect budget, timeline and workflow)
• To show that the methods you plan to use for testing are tried
and true
• To provide documentation of a specialized procedure that has
been used by many people
Types of Penetration Tests
• Network Infrastructure Tests
• Eg Switches, routers, firewalls, AAA (Authentication,
Authorization and Accounting) servers, IPSs, wireless
infrastructure, wired infrastructure
• Application-based Tests
• Testing for security weaknesses in enterprise
applications, which may include back-end database
through web application
• Eg misconfigurations, input validation issues, injection
issues, logic flaws
• Main resource: OWASP (Open Web Application Security
Project)
• Cloud Penetration Testing
• Cloud Service Providers (CSPs) such as Azure, Amazon
Web Services (AWS), and Google Cloud Platform (GCP)
take their security and compliance responsibilities very
seriously.
• Eg, Amazon created the Shared Responsibility Model to
describe the AWS customers’ responsibilities and
Amazon’s responsibilities in detail.
(https://aws.amazon.com/compliance/shared-
responsibility-model/)
• https://aws.amazon.com/compliance/shared-responsibility-model/
• The responsibility for cloud security depends on the type
of cloud model (software as a service [SaaS], platform as
a service [PaaS], or infrastructure as a service [IaaS]).
• Eg, with IaaS, the customer (cloud consumer) is
responsible for data, applications, runtime, middleware,
virtual machines (VMs), containers, and operating
systems in VMs.
• Regardless of the model used, cloud security is the
responsibility of both the client and the cloud provider.
• Most CSPs have detailed guidelines on how to perform
security assessment and penetration testing in the
cloud. Eg, AWS Customer Support Policy for Penetration
Testing: (https://aws.amazon.com/security/penetration-
testing/)
Penetration Testing Methodologies
• Social Engineering Penetration Testing
• testing the company’s employees to understand an
organization’s exploit that might be caused from the side of a
company’s employee.
• involves persuading a company’s employee to break the rules
of an organization and sharing the password and other
confidential details with the attacker.
• is performed to make the employee more trained on how to
handle security attacks and also makes the social structure
of the company more flawless.
• However, most companies find this test too intrusive and
would prefer to focus in security awareness training.
Source: https://urbanmatter.com/best-penetration-testing-companies-in-the-world-ranked-reviewed/
• Physical Security Penetration Testing
• break through the security of security cameras, physical
security, entry access systems with the goal to gain into
a targeted physical facility
• Company may find this pen test intrusive and may not
be keen to take up this pen test.
Source: https://www.aerocominc.com/info/penetration-testing-services-comparison-what-is-physical-security-pen-testing-methodology/
• Specialized Systems Penetration Testing
• Conduct penetration testing on specialized systems like
SCADA (Supervisory control and data acquisition), IoT
(Internet of Things), Industrial Control Systems (ICS)
Penetration Testing Methods
• Unknown-environment test (formerly known as black-box)
• Penetration testers are given with limited information for
eg domain names and IP addresses that are in a scope
of a particular target, which simulates the behaviour of
external attackers.
• Need to gather information about the target using public
information first before planning an attack
• Staff will not be made known when the attack will
happen to test the effectiveness of the defense
mechanism
• Scope may be only to identify a path into the
organization and do not further pen test.
• Known-environment test (formerly known as white-box)
• Testers are given information about the organization and
its infrastructure
• Eg network diagrams, IP addresses, configurations,
user credentials, source code (application
assessment), system version, personnel information
• Main purpose: to identify as many security holes as
possible
• Scope covers in depth into internal network
configuration auditing, scanning of desktop computers,
servers, source code review, analysis of applications for
defects. Deciding factor of the scope is usually time and
money and to identify the utmost priority to do the
testing to uncover the desired results.
• Partially known-environment test (formerly known as gray-
box)
• Hybrid approach between unknown- and known
environment tests.
• Testers are provided with credentials but not full
documentation of the network infrastructure
• Can provide results of the testing from the perspective
of external attacker’s point of view
• To simulate an insider as an attacker which starts from
a client and work their way throughout the network
Penetration Testing Methodologies/Standards
MITRE Standards /
ATT&CK Methodologies
• MITRE ATT&CK framework (https://attack.mitre.org/)
• A collection of different matrices of adversary’s tactics, techniques
and procedures (TTPs)
• Enterprise ATT&CK Matrix
• Mobile
• ICS (Industrial Control Systems)
• OWASP Web Security Testing Guide (WSTG)
(https://owasp.org/www-project-web-security-testing-guide/ )
• focus on web application testing
• National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-115
(https://csrc.nist.gov/publications/detail/sp/800-115/final)
• Provide guidelines to organizations about on planning and
conducting information security testing.
• Industry standard for penetration testing guidance
• Open Source Security Testing Methodology Manual (OSSTMM)
(https://www.isecom.org/OSSTMM.3.pdf)
• A document that lays out repeatable and consistent security testing.
• Has the following key sections:
• Operational Security Metrics
• Trust Analysis
• Work Flow
• Human Security Testing
• Physical Security Testing
• Wireless Security Testing
• Telecommunications Security Testing
• Data Networks Security Testing
• Compliance Regulations
• Reporting with the Security Test Audir Reports (STAR)

• Penetration Testing Execution Standard (PTES)
(http://www.pentest-standard.org/index.php/Main_Page )
• Provides information about type of attacks and methods; latest
tools available to accomplish the testing methods
• Involves seven distinct phases:
• Pre-engagement interactions
• Intelligence gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post—exploitation
• Reporting
Example of Penetration Testing Methodologies adopted by
industry:
Source: https://www.wizlynxgroup.com/ch/en/cyber-security-switzerland
/penetration-testing-services
Penetration Testing Phases
Phases Description Coverage
Preparation Discussion and sign agreement with clients before pen test. Chap 2
Technical teams to plan and prepare the pen test.
Recon Information gathering about the target organization, as well as Chap 3
identify underlying components such as operating systems, running
services, software versions, etc.
Mapping and Assets and vulnerabilities to be identified with the actual exploitation Chap 3
Vulnerability
Discovery
Vulnerability Using a hybrid approach (automated and manual testing), privileged Chap 4 –
Exploitation access to the target systems in a controlled manner by exploiting the Chap 9
identified vulnerabilities in previous phase “Vulnerability Discovery”.
Analysis and All findings will be documented in a final report, and then compared Chap 10
Reporting with a strengths/weaknesses profile against international standards
for IT & Cyber Security. The identified weaknesses will be assessed
and supplemented with recommendations and remediation actions,
as well as prioritized according to the risk associated.
Source: https://www.wizlynxgroup.com/ch/en/cyber-security-switzerland/penetration-testing-services
Reference
[1] Omar Santos. 2022. CompTIA PenTest+ PT0-002. Pearson IT
Certification
[2] Matt Walker. 2022. CEH Certified Ethical Hacker Exam Guide
5th Edition. McGraw-Hill Education.

Chapter 1 Introduction To Vulnerability Assessment and Testing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 Introduction To Vulnerability Assessment and Testing

Uploaded by

Copyright:

Available Formats

Chapter 1: Introduction to

Vulnerability Assessment and

“Unauthorized user who attempts to or gains access to

Why do we need to follow a methodology for Penetration

• Has the following key sections:

• Operational Security Metrics

• Human Security Testing

• Physical Security Testing

• Wireless Security Testing

• Telecommunications Security Testing

• Data Networks Security Testing

• Reporting with the Security Test Audir Reports (STAR)

You might also like