Vulnerability Management
Identify the systems covered in the scan
What is the data store
Transmitted
processed
On that system
Is the system exposed to the internet (internet facing)
What services are offered?
What stage is the system production, test, development system
Tools used to scan the infrastructure/network for connect devices
Solar winds
Qualys asset map
Determining Scan frequency
Automation of the scan can be done by using nessus
The amount of scans per year will be determined by the companies:
Risk appetite and risk toleration
Regulatory requirement
Technical constraints
Business constraints
Licensing limitations
These will all be taken into account
Configuring the scans
For the scan you will need to provide the following
Target service credentials
Ensure there is scanning agents on the target servers
Ensure to conduct the scans from multiple view points
Scan sensitivity levels
Disable plugins that arent used for that system
Create your own scans (use a template and customise it)
Supplementing network scans
Basic vulnerability scan is a great start point as this is what an attack would use to probe the network, this can cause issues with the nessus scan results due to firewalls, IPS (intrusion prevention systems), and other security controls existing between the scanner and the target
Scan perspective
Outside the organisation
This will give a good idea on the vulnerabilities a potential hacker can see
Internal scans from an insider
This will give a good idea on the vulnerabilities a potential insider can see
Data centre scan
This will give a good idea on the vulnerabilities that are covered by firewall or other security measures
keeping it up to date
Ensure the nessus vulnerability scanner is kept up to date as vulnerabilities crop up everyday
Ensure the scanner software itself is patched as they can also have vulnerabilities
Plug in feeds
Ensure automatic updates are enabled
Infrastructure scanning tools
You need to have
Network vulnerability scanner
Application scanner
Web application scanner
Examples of network scanners are:
Nessus
Qualys
Rapid7
OpenVAS
Need to use two scanners for defence in depth
Example of application scanning:
Static testing: analyses code without executing it
Dynamic testing: executes the code as part of the test
Interactive testing: combines static and dynamic
Example of web application scanning:
Nikto: free open source
Arachni: free open source for windows and mac
Validate the scan results
Ensure the false positives are removed from the data set
Reconcile with other data sources
Log reviews from servers ,application , network devices and other sources that main contain more information regarding the possible attempts to exploit detected vulnerabilities
SIEM tools (security information and event management systems) will correlate log entries for easy access to actionable intelligence
Configuration management systems provide information regarding the operating system and the applications installed
Security vulnerabilities
Patch Management
This is a key task that is often overlooked due to lack of resources.
The systems running the infrastructure need to be maintained this includes ensuring the devices are patched.
A lot of vulnerabilities that are exploited come from networks that are using out of date hardware / firmware.
Legacy platforms
End of support devices become a real issue for security due to there being no support for the devices
Weak configurations
Using the default settings for any device can pose security risks such as admin page setups that are meant to be disabled for live use
The presence of unsecure accounts including both normal,admin and unsecure root accounts
Open ports and services
Open permissions
Error messages
Many applications development platforms have debug modes which can assist the user when needing to troubleshoot the system. This debug mode can assist hackers in gain useful information regarding the company or even allow them to alter the data within the system
Insecure protocols
There are a multitude of insecure protocols such as
Telnet
Ftp
Ssh (still used frequently)
SMB
HTTP
DNS
Weak encryptions
Ensure you do not use a weak encryption method such as
Sha1
Md5
Type7
Type 7 is easy to reverse and can be done in seconds so should not be used for encrypting passwords
Penetration testing
White Box test
Known environment test
Every part of the environment is known
Black Box test
Unknown environment test
Simulates what an attacker would see
Grey box test
Is a mixture of the two
The pen tester may have partial knowledge of the environment but no credentials and Vis versa
Once the outline of what will be tested has been confirmed such as the type of test and on what system the rules of engagement can be written
The rules will included
Timeline:
This will be confirmed to ensure the test is not performed during critical hours as there
Locations:
Determine what location, systems, applications or other potential targets to be included or excluded
Data Handling Requirements:
This would be for the information gathered throughout the pen test
This will be very important regarding sensitive data an example of this would be encrypting the data during the test
Behaviours to expect from target:
Defensive behavoirs such as:
Shunning
Black listing
Or other active defences
Can disrupt the penetration test and limit the value of it
Resources committed:
This would be for the white and grey box tests as it would require admin, developers, and experts to provide the relevant information for the penetration tester
Legal concerns:
A review will need to be done regarding the laws that cover the target organisation
Communications:
How often will the penetration tester communicate with the company
The Penetration test will first start with reconnaissance, this will allow for the Penetration tester to gather information on the organisation, for a white hat test they will seek further techniques that they could use to exploit the systems
The test
Initial access occurs
Privilege escalation to shift from initial access to a more advanced account with further privileges
Pivoting or lateral movement, attacker attempts to gain access to other systems
Attackers establish persistence, the attacker will install a backdoor to allow them to regain access to the system at will. Patching the vulnerability they used to gain access will not revoke the backdoor
Red team
These are the attackers
Blue team
These are the defenders
White team
These are the referees
Purple team
These are the red and blue team combined where they share techniques they have learnt