2. Agenda
• What is a Penetration Test?
• What is a Vulnerability Assessment (VA)
• The difference between a Pentest & a VA
• Vulnerability Assessment Steps
• Risks on an internal VA
• Vulnerability Assessment steps with a 3rd Party
• Legal considerations and justification
• References
3. What is a Penetration Test?
• There are two types of penetration (pen) tests
– Black Box & White Box
• Analyzing assets for any weaknesses, weak
configuration, or vulnerabilities
• Perspective of a potential attacker and
leverages exploitation of known and unknown
security vulnerabilities
• Validate information security programs
• Ensure security controls
4. What is a Penetration Test?
Which components are the targets?
•Operating Systems
•Directory Services
•Backend Applications
•Server firmware and Remote Control software
•Network devices (Routers, Switches, Firewalls)
5. What is Penetration Test?
The intruder could seek unauthorized access for:
•Staging
•Information Disclosure (Confidentiality)
•Bots/Zombies (Availability)
6. What is a Vulnerability
Assessment (VA)?
“Security exercises that aid business leaders,
security professionals, and hackers in identifying
security liabilities within networks, applications,
and systems.” (Snedaker, 2007)
7. What is a Vulnerability
Assessment (VA)?
The Vulnerability Assessment detects
vulnerabilities via:
•Security Technologies
– VA Scanners Appliances and Software
•Remediation Technologies
– Patch management systems (WSUS, SCCM,
LanDesk, VMware Update Manager)
8. Penetration Test vs. VA
Penetration Test: Vulnerability Assessment:
• Confirm the vulnerabilities • Identify weaknesses
• Scan the network • Identify and enumerates
• Identify OS, Services and Vulnerabilities
TCP/UDP Ports on the hosts • Report on discoveries
• Performs attacks and
penetration
• Works to gain non-
authorized access
9. Penetration Test vs. VA
Penetration Test: Vulnerability Assessment:
To be used when: To be used when:
•We have a limited number of •Time is a constraint
assets •Cost is an issue
•Confirmation is needed •Validating
•We are fiscally flexible •Trending
•Time is not of the essence
10. Vulnerability Assessment
The 3 steps
1. Information Gathering and Discovery
Example of tools: NMAP
1. Enumeration
Example of tools: NMAP
1. Detection
Example of tools: Retina
11. Vulnerability Assessment
The 3 steps
1. Information Gathering and Discovery
– Network Scanning
– Ports Scanning
– Directory Service
– DNS Zones and Registers
12. Vulnerability Assessment
The 3 steps
2. Enumeration
– Hosts and OSs
– Ports (including the well-known: 0-1023)
– Services and their versions info
– SNMP Communities
13. Vulnerability Assessment
The 3 steps
3. Detection
– Weakness
– Vulnerabilities
– Reports are generated
– Remediation Tools
14. Risks on an internal VA
• Unavailability of the systems and applications
• Impact on the network and systems
performance
• Reaction from the IT staff as if some real
attack was taking place
15. Vulnerability Assessment Steps
with a 3rd Party
• The outsourcing company must follow the FISMA requirements, by
applying the NIST standards and guidelines
• Establish an Information Security Assessment Policy to be followed
• Determine the objectives of each security assessment
• The consulting firm should be accountable for any damage caused
by errors on during the exercise
• Sign a formal agreement for the Vulnerability Assessment
• Non-disclosure information externally
• The 3rd party should provide an Analyze findings, and develop risk
mitigation techniques accordingly and report security Incidents
(FISMA 3544(b)(7))
• The 3rd party should periodically testing and evaluating the security
controls and techniques (FISMA section 3544(a)(2)(D))
16. VA Steps with a 3rd Party
Legal considerations and justification
• The 3rd parties are required to meet the same security
requirements as federal agencies (FISMA and OMB policy)
• As part of the contract and the service-level agreements,
the consulting firm requires the use of the security controls
in NIST Special Publication 800-53 and 800-53A
• Evaluate potential legal concerns before starting an
assessment (The assessments that involve intrusive tests -
Pentest)
• Legal Department may review the assessment plan
developed by the 3rd party
• The Legal Department should address privacy concerns,
and perform other functions in support of assessment
planning. (FISMA, section 3542(a)(1)(B))
17. References:
Snedaker, S. (2007). The Best Damn IT Security management Book Period, Syngress publishing.
National Institute of Standards and Technology. (2009). Recommended Security Controls for
Federal Information Systems and Organizations (NIST Special Publication 800-53, 2009 Edition).
Gaithersburg, MD.
National Institute of Standards and Technology. (2010). Guide for Applying the Risk Management
Framework to Federal Information Systems (NIST Special Publication 800-37, revision 1).
Gaithersburg, MD.
National Institute of Standards and Technology. (2010a). Guide for Assessing the Security Controls
in Federal Information Systems and Organizations (NIST Special Publication 800-53A).
Gaithersburg, MD.
Federal Information Security Management Act (FISMA). (2002). P.L. 107-347. Retrieved August
07, 2012, from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
Editor's Notes
By Marcelo Silva
Black box testing assumes no prior knowledge of the environment, and it is the type we often associate with the Penetration Test. White box testing provides the testers with complete knowledge of the environment to be tested Validate information security programs It can validate the strengths and weaknesses of a company's information security program. Ensure security controls Most organizations practice defense in-depth strategies , or the layering of security technologies to protect an asset. Therefore, the Penetration tests can help identifying weakness on this strategy.
Operating Systems OS, File Systems, Registry, Components (DCOM/APIs) vulnerabilities Directory Services Users and Computer accounts, Security Groups, Passwords, Logon scripts Backend Applications Database (SQL/Oracle/DB2/MySQL…), Email servers (Exchange/Qmail/Lotus Notes/ Postfix/IMail…), Web and Application Servers (Appache/IIS/TomCat/Jboss) Server firmware and Remote Control software Dell DRAC, HP iLO, Blades Enclosures Onboard Administrations Network devices (Routers, Switches, Firewalls) Switches without VLANs, Routers ACLs, Firewalls rules
Staging Uses intermediary sources to exploit targets, by concealing their identity. Information disclosure Publishing sensitive data, including password files, personal information like SSN and drivers license ID, e company propriety information. Bots Denied of Services attacks, causing availability issue on the network, operating systems and applications.
Through a Vulnerability Assessment, we are able to gather all information about the networks, operating systems, services and application, and their port status as well, And then generate a report about their current vulnerabilities and risks that the company are facing due that. By using the process called OS fingerprinting , the scanner utility software is able to detect the target operating system and the applications that are running on it, and Enumerate the current state of each TCP/UDP ports. Therefore, after discovery the systems and their applications, the VA is able to determine whether a system or application has vulnerabilities.
Security Technologies VA Scanners Appliances or Software (NMAP, Nessus, Retina, Microsoft Baseline Security Analyzer and others) Remediation Technologies Patch management systems (WSUS, SCCM, LanDesk, VMware Update Manager) Some of the vulnerabilities detected by the Security and Remediation Technologies could include, and not limited to: Weak SNMP Community (Public) VMware Virtual Machine Remote Device Denial of Service VMware host memory overwrite vulnerability (data pointers) ESX NFS traffic parsing vulnerability Microsoft Windows Malicious Software Removal Tool Null Session Exposures Windows System Events Logs Overwritten Guest Access to Sys Instances Macromedia Flash Header Vulnerability
Vulnerabilities Assessment only report vulnerabilities. They don't substantiate that vulnerabilities actually exist. Penetration test ensures that vulnerability actually exist. The VA can be part of the Penetration Test, but the inverse doesn't happens.
The Vulnerability Assessment stresses an organization's security liabilities and helps to determine information security risk (Snedaker, 2007). However, VA just reports vulnerabilities. There are some reasons that justify having only the Vulnerability Assessment: Timing constraint - Penetration tests take longer to be performed and provide results and analyses, mainly when we have a large number of devices Budget - Pentests require more skilled staff to be performed Validation - By performing a VA we can find out whether a Service Pack or Hotfix was applied Trending - Trending vulnerabilities across our enterprise can provide valuable insight into our organization's remediation and change control processes Otherwise, the Penetration test is highly recommended, once it also involves the vulnerability scanning during the target identification and analyses process.
Information Gathering and Discovery Information gathering and discovery is the process an individual or group performs to ascertain the scope of an assessment. On this first step, the tool will be used to identify and determine the number of systems and applications that will be assessed. We can use the NMAP for this first step for the information gathering. Enumeration During that step, the tool will be used to determine the target operating system (OS fingerprinting) and the applications that are running on it. We also can use the NMAP for this enumeration. Detection This is the last step on the Vulnerability Assessment, where the vulnerabilities on the system and application will be detected. On this step we can use some tools such as Nessus or Retina.
By performing network and port scanning, we collect all information about the hosts, network devices, listening ports and Services running. We can also identify the Directory Services such LDAP and Microsoft Active Directory. By performing a “ whois” query, we are able to gather the some information such as the company's physical address, the IP addresses range used by the company and the DNS servers responsible for the domain.
Through the process called “ OS Fingerprinting ”, we can enumerate the Operating Systems versions (e.g.: Windows 2008, Windows XP, Linux 2.3.6, Cisco IOS 11, Cisco NX-OS), determine which Service or Application is running in a specific TCP/UDP port. During this phase, we are also able to enumerate each SNMP Communities, and tool likes to find the “Public” one.
Since the network devices and hosts were properly identified, the listening ports are already listed, the Operating Systems and Applications versions are enumerated accordingly, Then the vulnerability detection phase can start. On this 3rd step, the tool will check whether each system is susceptible to attack, and how vulnerable it is. The detection process will report that vulnerabilities are present on a system.
Once the whole activities are running inside the company’s network, it could impact negatively the network and systems performance . Additionally, there is a risk of some security tools as IDS/IPS, once the attacks are detected, they performing some countermeasures as shutdown some system or making an application unavailable temporarily. Also the IT staff could react as if some real threat was taking place on the company’s network.
The outsourcing company must follow the FISMA requirements The 3 rd party should follow the instructions of the FISMA (2002), indicated on section 3544(b) of the Title III. According to FISMA (2002) the agency/consulting firm, should “Planning, implementing, evaluating and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency”. (Section 3544(b)(6)). Another important step it is notifying and consulting with the Federal information security incident center, about information security incidents, threats and vulnerabilities. The National Institute of Standards and Technology (NIST) was designated to create and maintain the standards and guidelines to apply the FISMA on the Federal Agencies and Organizations. Some of the Guides and Recommendation documents are indicated along this presentation. Establishing an Information Security Assessment Policy: This identifies the organization’s requirements for executing the Assessment, and provides accountability for the appropriate individuals. The Assessment Policy should contain: The organizational requirements Roles and responsibilities Adherence to an established assessment methodology Assessment frequency Documentation Determine the objectives of each security assessment The Vulnerability Assessments have acceptable levels of risk. Therefore, by determining the objectives and applying the proper approach will help the Police Department to limit risk and available resource usage. About the discoveries of the Vulnerability Assessment, they should be kept as confidential, and also be reported to the Federal information security incident center, as required by FISMA (2002). The finished product, the assessment, is confidential. There can only be ONE copy. And the 3 rd party is not allowed to keep notes during the process or even save one copy for themselves. They can’t use the Assessment as an example for potential clients. Additionally, the consulting firm must tore reports in encrypted databases that are only accessible with the proper credentials. At the final stage, the 3rd party should analyze findings , and develop risk mitigation techniques to address the weaknesses found. The consulting firm should conduct a root cause analysis upon completion of an assessment, in order to convert the findings into mitigation techniques actions. The 3rd party should periodically testing and evaluating the security controls and techniques Also, the Police Department and the 3rd Party should periodically perform assessment the risk and damage level that could result from the non-authorized access, disclosure, disruption, modification, or destruction of information, network assets, systems and applications that supports the operations of the Department.
As stated by the NIST (NIST, 2010), FISMA and OMB policy require external providers handling federal information or operating information systems on behalf the federal government to meet the same security requirements as federal agencies. FISMA is the law, and if the Police Department is not in compliance with the Federal Information Security Management Act, it is breaking the law. Therefore, both the Police Department and the 3rd party must be in compliance with the FISMA. Additionally, by being complying with FISMA requirements, the Police Department and the Consulting firm are ensuring the sensitive information is being protected accordingly, the systems are available for the authorized users and the integrity of the data are being kept. NIST 800-53 and 800-53A - When outsourcing the Vulnerability Assessment, the external company should follow both the “Recommended Security Controls for the Federal Information Systems” and the “Guide for Assessing the Security Controls in Federal Information Systems and Organizations”, including selecting security controls and monitoring security controls, and appendix such as Penetration Testing considerations. The Legal Department has a key role on the VA process. It is responsible for: Assure that the contracts and service-level agreements are in accordance with the current legislation and the Risk Management Framework (e.g.: FISMA – section 3541(a) of the Title III, RMF, NIST) Assist in reviewing the assessment plan and providing indemnity or limitation of liability clauses into contracts that govern security assessments, mainly for tests that are deemed intrusive. Require the consulting firm to sign nondisclosure agreements that prohibit them from disclosing any sensitive and proprietary information (section 3542(b)(1)(B) of the Title III). Address any privacy concerns and potential privacy violations before the assessment begins. Determine data handling requirements to ensure data confidentiality. Also, captured data may include sensitive data that does not belong to the organization, or some personal employee data. Therefore, the 3 rd party staff should be aware of these risks and conduct packet captures that follow any requirements that were predefined by the Legal Department.