Chapter 5: Vulnerability assessment

Vulnerability Management

Identify the systems covered in the scan

What is the data store

Transmitted

processed

On that system

Is the system exposed to the internet (internet facing)

What services are offered?

What stage is the system production, test, development system

Tools used to scan the infrastructure/network for connect devices

Solar winds

Qualys asset map

Determining Scan frequency

Automation of the scan can be done by using nessus

The amount of scans per year will be determined by the companies:

Risk appetite and risk toleration

Regulatory requirement

Technical constraints

Business constraints

Licensing limitations

These will all be taken into account

Configuring the scans

For the scan you will need to provide the following

Target service credentials

Ensure there is scanning agents on the target servers

Ensure to conduct the scans from multiple view points

Scan sensitivity levels

Disable plugins that arent used for that system

Create your own scans (use a template and customise it)

Supplementing network scans

Basic vulnerability scan is a great start point as this is what an attack would use to probe the network, this can cause issues with the nessus scan results due to firewalls, IPS (intrusion prevention systems), and other security controls existing between the scanner and the target

Scan perspective

Outside the organisation

This will give a good idea on the vulnerabilities a potential hacker can see

Internal scans from an insider

This will give a good idea on the vulnerabilities a potential insider can see

Data centre scan

This will give a good idea on the vulnerabilities that are covered by firewall or other security measures

keeping it up to date

Ensure the nessus vulnerability scanner is kept up to date as vulnerabilities crop up everyday

Ensure the scanner software itself is patched as they can also have vulnerabilities

Plug in feeds

Ensure automatic updates are enabled

Infrastructure scanning tools

You need to have

Network vulnerability scanner

Application scanner

Web application scanner

Examples of network scanners are:

Nessus

Qualys

Rapid7

OpenVAS

Need to use two scanners for defence in depth

Example of application scanning:

Static testing: analyses code without executing it

Dynamic testing: executes the code as part of the test

Interactive testing: combines static and dynamic

Example of web application scanning:

Nikto: free open source

Arachni: free open source for windows and mac

Validate the scan results

Ensure the false positives are removed from the data set

Reconcile with other data sources

Log reviews from servers ,application , network devices and other sources that main contain more information regarding the possible attempts to exploit detected vulnerabilities

SIEM tools (security information and event management systems) will correlate log entries for easy access to actionable intelligence

Configuration management systems provide information regarding the operating system and the applications installed

Security vulnerabilities

Patch Management

This is a key task that is often overlooked due to lack of resources.

The systems running the infrastructure need to be maintained this includes ensuring the devices are patched.

A lot of vulnerabilities that are exploited come from networks that are using out of date hardware / firmware.

Legacy platforms

End of support devices become a real issue for security due to there being no support for the devices

Weak configurations

Using the default settings for any device can pose security risks such as admin page setups that are meant to be disabled for live use

The presence of unsecure accounts including both normal,admin and unsecure root accounts

Open ports and services

Open permissions

Error messages

Many applications development platforms have debug modes which can assist the user when needing to troubleshoot the system. This debug mode can assist hackers in gain useful information regarding the company or even allow them to alter the data within the system

Insecure protocols

There are a multitude of insecure protocols such as

Telnet

Ftp

Ssh (still used frequently)

SMB

HTTP

DNS

Weak encryptions

Ensure you do not use a weak encryption method such as

Sha1

Md5

Type7

Type 7 is easy to reverse and can be done in seconds so should not be used for encrypting passwords

Penetration testing

White Box test

Known environment test

Every part of the environment is known

Black Box test

Unknown environment test

Simulates what an attacker would see

Grey box test

Is a mixture of the two

The pen tester may have partial knowledge of the environment but no credentials and Vis versa

Once the outline of what will be tested has been confirmed such as the type of test and on what system the rules of engagement can be written

The rules will included

Timeline:

This will be confirmed to ensure the test is not performed during critical hours as there

Locations:

Determine what location, systems, applications or other potential targets to be included or excluded

Data Handling Requirements:

This would be for the information gathered throughout the pen test

This will be very important regarding sensitive data an example of this would be encrypting the data during the test

Behaviours to expect from target:

Defensive behavoirs such as:

Shunning

Black listing

Or other active defences

Can disrupt the penetration test and limit the value of it

Resources committed:

This would be for the white and grey box tests as it would require admin, developers, and experts to provide the relevant information for the penetration tester

Legal concerns:

A review will need to be done regarding the laws that cover the target organisation

Communications:

How often will the penetration tester communicate with the company

The Penetration test will first start with reconnaissance, this will allow for the Penetration tester to gather information on the organisation, for a white hat test they will seek further techniques that they could use to exploit the systems

The test

Initial access occurs

Privilege escalation to shift from initial access to a more advanced account with further privileges

Pivoting or lateral movement, attacker attempts to gain access to other systems

Attackers establish persistence, the attacker will install a backdoor to allow them to regain access to the system at will. Patching the vulnerability they used to gain access will not revoke the backdoor

Red team

These are the attackers

Blue team

These are the defenders

White team

These are the referees

Purple team

These are the red and blue team combined where they share techniques they have learnt