Vulnerability Assessment / Penetration Test (VA/PT)

Cybersecurity
An effective cybersecurity program is more important than ever, as attacks become more sophisticated and difficult to detect, have a greater economic impact, and cause great damage to the credibility of a company / organization.
It has been said about security that “companies are divided into two categories, those that have been hacked and those that will be hacked”. However, the security of networks, IT systems and applications must be constantly improved to prevent as many attacks as possible. Vulnerabilities of information assets are also increasing, so we must focus on protecting them. Critical information needs to be secured, regardless of whether they hosted on a server, on a trusted network, or on a portable device.
Of course, despite the efforts of a company to prevent hacking attacks and protect its critical data, this is not always successful as all networks and therefore IT systems are interconnected. The company should be able to identify its weaknesses by performing Vulnerability Assessments and / or Penetration Tests to identify problems and issues before a breach occurs.
Vulnerability Assessment / Penetration Testing what are they and how they differ?
Because there is often a lot of talk about the difference between performing Vulnerability Assessment and Penetration Testing, we will give a very simple example from another area, to show what each one is and what it includes.
We will take on the role of a burglar and try to see how he/she thinks and acts. Suppose that we have located the house in which we want to make the alleged burglary.
The first step we will take is called “target recognition” (reconnaissance): we approach the target and we look for weaknesses and making notes on a piece of paper. Suppose, then, that the supposed house we want to break into is a detached one. We realize that often the owners forget the gate unlocked (ok! Note this weakness). Turning it around the square (“scanning” the perimeter of the house) we see that the window shutters at the back of the house are half open. We note this as well!
So far what we have done is to identify possible vulnerabilities that could be used by a threat (us – the thief!) to “implement” a risk (which is burglary). However, we have not proven that all the weaknesses we have seen can lead to a violation. For example, the shutter is half open, but it can hide railings behind it or the house may have an alarm inside.

So far, we have done a Vulnerability Assessment on target. We did not try to “book” inside the house, to see if the weaknesses we noted are really weaknesses! That is, we have not yet performed a penetration!
So, this is the difference between Vulnerability Assessment and Penetration Test. In the first, we record and identify the possible weaknesses without directly attacking to the target, while in the second we confirm them with a real direct attack.
Vulnerability Assessment (VA) is usually the first stage of a Penetration Test (PT). Of course, the VA can stand on its own, without the penetration test. That is, after we do it, to share the findings with the owner (what “moral” burglars we are, after all) so that together, we can evaluate them and “resolve” what could lead to a violation, by taking the appropriate measures.

Attack Methods
The methods used for attack surface are divided into three categories:
• White-Box: The attacker has complete knowledge (100%) of the applications or IT infrastructure to be tested. Access to the applications’ source code and user / administrator accounts, as part of the assessment, could be performed.
• Gray-Box: The attacker is provided with some information about the application or infrastructure (e.g. IP Addresses, domain names, etc.).
• Black-Box: You do not provide to the attacker with any knowledge of the application or infrastructure (zero knowledge).

The attack can be internal (from inside the company) or external (from public networks; such as Internet).
Methodology
The vulnerability assessment and penetration test methodology follow the best practices, as defined in the internationally recognized standards by OWASP Top 10 and NIST 800-115. In detail, penetration tests follow (according to NIST 800-15) the following structure:

Phase 1: Planning
In the planning phase, the rules of engagement are determined, the approval of the administration is finalized, and the test objectives are documented. The design phase lays the foundation for a successful penetration test. No testing is being carried out at this phase but the action area to be implemented in the next phases is being agreed.
Phase 2: Discovery / Vulnerability Assessment
Special automated tools will be used to identify the information systems to be tested (information gathering). Then, based on the information gathered about the technologies and services exposed by the target systems, appropriate tools are configured so that they can identify the weaknesses and vulnerabilities of each system under control.

Specifically, the following will be implemented:
• Information gathering about the targets: finding subdomains, virtual hosts, related domain names within the main domain.
• Complete detection of vulnerabilities in target systems: these vulnerabilities can be identified by using a predefined set of more than 60,000 known vulnerabilities.
• Checks whether passwords are strong & complex: this scan detects the presence of weak passwords on network services (MySQL, FTP, SSH) by performing live connections to these services using dictionaries of the most common used passwords.

Phase 3: Attack – thorough check of the important vulnerabilities found
This is the most important part of a penetration test that differentiates it from vulnerability assessment. It can only be performed by staff with a high technical background but also experience in such assessments.
At this phase, an attempt is made to exploit one by one all the important vulnerabilities identified in the previous stage, using specialized exploitation techniques, in order to actually violate the target systems. In addition, in this stage, the possibility of someone being able to violate the information systems is confirmed. The degree of difficulty is confirmed, as well as the extent of the impact it may cause. For all successful breaches, the relevant evidence is collected. Weaknesses are ranked based on internationally recognized vulnerabilities, such as: CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerability and Exposures).
In the case of webs applications, a specific assessment will be performed (based on the internationally recognized OWASP Top 10 Web Application Security Risks) as:
• SQL injection
• XSS
• LFI – RFI
• OS command injection
It is noted that, at first a scan is performed against the target and in then the vulnerabilities are identified by a controlled attack.
Phase 4: Reporting – evaluating and prioritizing findings and create reports
At this phase, the findings are evaluated and prioritized based on the results of the previous assessments, in order to identify the most critical and easily exploited by malicious attackers. The findings will also be correlated to identify risks that may arise from a combination of these.
All findings will be presented in a report, sorted by their degree of risk. The CVSS v2 rating unit will be used. The CVSS unit of measurement allows a company to prioritize which vulnerabilities need to be mitigate first. The CVSS unit in collaboration with the National Vulnerability Database (NVD) provides scores for the most well-known vulnerabilities, based on the following scale:

CVS Score IMPORTANCE DESCRIPTION
 

7.0 – 10.0

 

High

Vulnerability is critical and there is a high probability that it will be used by a threat actor (attacker) to cause damage to the company. It must be corrected as soon as possible.
 

 

4,0 – 6,9

 

 

Medium

Vulnerability is of medium importance and is unlikely to be used by an attacker to cause harm to the company. Some steps can be taken to mitigate it, if and when it is decided.
 

0,0 – 3,9

 

Low

Vulnerability is of little importance and there is very low probability of damage to the company. It is not necessary to take any measures to reduce it.

In addition, any discovered vulnerability will be linked to the corresponding CVE (Common Vulnerabilities and Exposures (CVE) system) when such CVE exists. The CVE system provides a standard method for well-known weaknesses that can lead to exposure to information security risks. The national cybersecurity organization FFRDC has maintained this system, funded by the National Cybersecurity Directorate of the United States Department of Homeland Security, since September 1999. It is the de-facto standard benchmark for identifying all known vulnerabilities.
A friendly suggestion…
It is recommended that such technical security assessments to be repeated at regular intervals as the configuration of the systems, the identified security vulnerabilities as well the attack methods, are changed constantly and can be exploited by malicious parties.

Do you want to discuss about your needs and provide you the right solutions?

BSc in Computer Science, University of Crete, and MSc in International Marketing, University of London. She is experienced in auditing Management Systems and has been working for more than a decade in international group of companies, specializing in the sector of Sales, Marketing and Corporate Communication.
Lilly Mylona
Sales, Director

Contact with

Mrs. Lily Mylona,

Sales Director, PRIORITY

[email protected]

T. 210 2509900