System Vulnerabilities Assessment and Testing CYB 403 PDF

CYB 401: SYSTEMS VULNERABILITY ASSESSMENT AND TESTING COURSE OUTLINE Definition of systems vulnerability. Methods and the testing methods using different techniques. Mitigation of risks and how to enhance the security of a company’s infrastructure. Penetration testing methodologies, test planning and scheduling. Information gathering. Password cracking. Penetration testing and security analysis. Social engineering, Internal and external penetration testing. Router penetration testing, security analysis, reporting and documentation. Operating systems fingerprinting. Remote network mapping. Software and operational vulnerabilities. Attack surface analysis. Fuzz testing. Patch management. Security auditing. 1 Definition of Vulnerabilities A vulnerability in security refers to a weakness or opportunity in an information system that cybercriminals can exploit and gain unauthorized access to a computer system. Vulnerabilities weaken systems and open the door to malicious attacks. More specifically, The International Organization for Standardization (ISO) defines a vulnerability in security as the weakness of an asset or group of assets that can be exploited by one or more cyber threats where an asset is anything that has value to the organization, its business operations, and their continuity, including information resources that support the organization's mission Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set of procedures, or in anything that leaves information security exposed to a threat. A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures. Vulnerability assessments provide organizations with the necessary knowledge, awareness and risk backgrounds to understand and react to threats in their environment. A vulnerability assessment intends to identify threats and the risks they pose. It typically involves using automated testing tools, such as network security scanners, whose results are listed in a vulnerability assessment report. A vulnerability assessment is a procedure that is employed in an information system to determine and rate potential risks. It seeks to identify vulnerabilities that can be leveraged by an attacker to compromise the system and to employ tools and techniques that ensure that data confidentiality, integrity, and availability are achieved. This systematic review assists organizations in identifying security issues like cross-site scripting (XSS) and SQL injection before they can be leveraged. Cross-site Scripting also known as XSS is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. 2 SQL injection is also known as SQLI and it is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed Organizations of any size, or even individuals who face an increased risk of cyberattacks, can benefit from some form of vulnerability assessment, but large enterprises and organizations subject to ongoing attacks will benefit most from vulnerability analysis. Vulnerabilities, Exploits, and Threats at a Glance In cybersecurity, there are important differences between vulnerabilities, exploits, and threats. While a vulnerability refers to weaknesses in hardware, software, or procedures—the entryway for hackers to access systems—an exploit is the actual malicious code that cybercriminals use to take advantage of vulnerabilities and compromise the IT infrastructure. A threat is a potentially dangerous event that has not occurred but has the potential to cause damage if it does. Exploits are how threats become attacks, and vulnerabilities are how exploits gain access to targeted systems. Examples and Common Types of Vulnerabilities in Security The four main types of vulnerabilities in information security are network vulnerabilities, operating system vulnerabilities, process (or procedural) vulnerabilities, and human vulnerabilities. 1. Network vulnerabilities are weaknesses within an organization’s hardware or software infrastructure that allow cyber-attackers to gain access and cause harm. These areas of exposure can range from poorly-protected wireless access all the way to misconfigured firewalls that don’t guard the network at large. 2. Operating system (OS) vulnerabilities are exposures within an OS that allow cyber- attackers to cause damage on any device where the OS is installed. An example of an attack that takes advantage of OS vulnerabilities is a Denial of Service (DoS) attack, where repeated fake requests clog a system so it becomes overloaded. Unpatched and outdated software also creates OS vulnerabilities, because the system running the application is exposed, sometimes endangering the entire network. 3 3. Process vulnerabilities are created when procedures that are supposed to act as security measures are insufficient. One of the most common process vulnerabilities is an authentication weakness, where users, and even IT administrators, use weak passwords. 4. Human vulnerabilities are created by user errors that can expose networks, hardware, and sensitive data to malicious actors. They arguably pose the most significant threat, particularly because of the increase in remote and mobile workers. Examples of human vulnerability in security are opening an email attachment infected with malware, or not installing software updates on mobile devices. Difference Between Vulnerability and Risk Vulnerabilities and risks differ because vulnerabilities are known weaknesses. They’re the identified gaps that undermine the security efforts of an organization’s IT systems. Risks, on the other hand, are potentials for loss or damage when a threat exploits a vulnerability. A common equation for calculating it is Risk = Threat x Vulnerability x Consequence. Importance of Vulnerability Assessments Vulnerability assessments are very important in the protection of information systems and data. They help by: Preventing Data Breaches: Directing single and exclusive attention to every risk in line with time and noticing the recurrent threats so as to treat them before they bring about expensive security invasions. Ensuring Regulatory Compliance: Conformity to the laws and evasion of the law. Managing Risks: Risk priority and risk control to improve the general shareholder’s risk evaluation. Enhancing Security Posture: Periodic evaluations enhance security by making provisions of security to cater for emerging threats. Cost-Effective Security: This solution lowers the expensive costs associated with security incidents that occur when the vulnerabilities are not tended to as soon as they are identified. 4 When Does a Vulnerability Become Exploitable? A vulnerability becomes exploitable when there is a definite path to complete malicious acts. Taking basic security precautions (like keeping security patches up to date and properly managing user access controls) can help keep vulnerabilities from becoming more dangerous security breaches. Causes of Vulnerabilities 1. Human error – When end users fall victim to phishing and other social engineering tactics, they become one of the biggest causes of vulnerabilities in security. 2. Software bugs – These are flaws in a code that cybercriminals can use to gain unauthorized access to hardware, software, data, or other assets in an organization’s network. sensitive data and perform unauthorized actions, which are considered unethical or illegal. 3. System complexity – When a system is too complex, it causes vulnerability because there’s an increased likelihood of misconfigurations, flaws, or unwanted network access. 4. Increased connectivity – Having so many remote devices connected to a network creates new access points for attacks. 5. Poor access control – improperly managing user roles, like providing some users more access than they need to data and systems or not closing accounts for old employees, makes networks vulnerable from both inside and outside breaches. Vulnerability Management? Vulnerability management is a practice that consists of identifying, classifying, remediating, and mitigating security vulnerabilities. It requires more than scanning and patching. Rather, vulnerability management requires a 360-degree view of an organization's systems, processes, and people in order to make informed decisions about the best course of action for detecting and mitigating vulnerabilities. 5 Vulnerability Scanning Vulnerability scanning is a process of identifying vulnerabilities within an organization’s applications and devices. The process is automated by the use of vulnerability scanners, and takes a snapshot of a network’s vulnerabilities, allowing security teams to make informed decisions regarding mitigation. Importance of vulnerability assessments Vulnerability assessments provide organizations with details on security weaknesses in their environments. They also provide directions on how to assess the risks associated with those weaknesses. This process offers the organization a better understanding of assets, security flaws and overall risk, reducing the likelihood a cybercriminal will breach their systems. Types of vulnerability assessments Vulnerability assessments discover different types of system or network vulnerabilities. The assessment process includes using a variety of tools, scanners and methodologies to identify vulnerabilities, threats and risks. Types of vulnerability assessment scans include the following: Network-based scans identify possible network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks. Host-based scans locate and identify vulnerabilities in servers, workstations or other network hosts. This scan usually examines ports and services that could be visible on network-based scans. It offers greater visibility into the configuration settings and patch history of scanned systems, even legacy systems. Wireless network scans focus on points of attack in wireless network infrastructure. In addition to identifying rogue access points, a wireless network scan also validates a company's network is securely configured. Application scans test websites to detect known software vulnerabilities and incorrect configurations in network or web applications. 6 Database scans identify weak points in a database to prevent malicious attacks, such as SQL injection attacks. Vulnerability assessments vs. penetration tests A vulnerability assessment often includes a pen testing component to identify vulnerabilities in an organization's personnel, procedures or processes. These vulnerabilities might not normally be detectable with network or system scans. The process is sometimes referred to as vulnerability assessment/penetration testing, or VAPT. Vulnerability Testing: Methods, Tools and Best Practices 7 Vulnerability Assessments vs Penetration Tests Parameter Vulnerability assessments Penetration tests Identification and evaluation of Real world attacks are simulated to Objective potential vulnerabilities exploit vulnerabilities Usage of manual techniques and Ethical hackers are involved who Methodology automated systems to scan attempt to exploit vulnerabilities systems Various aspects of the system are Target specific vulnerabilities and Scope covered attack vectors Conducted regularly as part of an Less frequent and is performed when Frequency ongoing strategy needed Gives a broader perspective of Gives deeper insight into the impact of Focus potential issues exploiting vulnerabilities Reactive approach which assess the Proactive approach which helps Approach effectiveness of existing security prevent potential issues measures How Does a Vulnerability Assessment Work? Planning and Scoping: Identify the parameters, aims and objectives and target system of the assessment. Discovery: Collect general information about the system: hosts, ports, and software, etc. Collect it with using specialized software and through manual assessment. 8 Scanning: Make a scan to each host in order to detect open ports, mistakes or problems in configurations. Analysis: Analyze scan information to identify imperatives and determine their potential vulnerability. Reporting: Record exploits, their consequences and rank suggestions for insurance. Remediation: Apply remedies, modify settings and work on the fortification of the architecture. Follow-Up: Ensure fix and verify that fix is correct & look for new vulnerability. The Process of Vulnerability Assessment The process of Vulnerability Assessment is divided into four stages. Testing or Vulnerability Identification: All the aspects of a system like networks, servers, and databases are checked for possible threats, weaknesses, and vulnerabilities. The goal of this step is to get a list of all the possible loopholes in the security of the system. The testing is done through machines as well as manually and all parameters are kept in mind while doing so. Analysis: From the first step, we get a list of vulnerabilities. Then, it is time that these are analyzed in detail. The goal of this analysis is to identify where things went wrong so that rectification can be done easily. This step aims at finding the root cause of vulnerabilities. Risk Assessment: When there are many vulnerabilities, it becomes important to classify them on the basis of risks they might cause. The main objective of this step is to prioritize vulnerabilities on the basis of data and systems they might affect. It also gauges the severity of attacks and the damage they can cause. Rectification: Once if have a clear layout of the risks, their root cause, and their severity, we can start making corrections in the system. The fourth step aims at closing the gaps in security by introducing new security tools and measures. Tools for Vulnerability Assessment Manually testing an application for possible vulnerabilities might be a tedious job. There are some tools that can automatically scan the system for vulnerabilities. A few such tools include: Simulation tools that test web applications. Scanners that test network services and protocols. 9 Network scanners that identify malicious packets and defects in IP addresses. Advantages of Vulnerability Assessment Detect the weakness of your system before any data breach occurs. A list of all possible vulnerabilities for each device present in the system. Record of security for future assessments. Disadvantages of Vulnerability Assessment Some advanced vulnerabilities might not be detected. Assessment tools might not give exact results. How to Perform Vulnerability Assessments To identify code or security vulnerabilities in advance, performing a SAST (Static Application Security Testing) or a DAST (Dynamic Application Security Testing) scan and integrating these tools in your CI/CD (Continuous Integration /Continuous Delivery) pipeline is recommended. These vulnerability scanners use databases of known vulnerabilities to detect potential weaknesses across applications, systems, data, and other elements. The vulnerability scanner performs a thorough scan across all dimensions of your technology. It examines the target system for known security issues, misconfigurations, outdated software, and potential entry points that attacker could exploit. Once the scans finish, the tool presents a report detailing all uncovered problems and proposes measures to counter potential threats. More comprehensive tools could go further by providing SIEM (Security Information and Event Management) Integration. With this integration, the data from vulnerability scanner can be pushed into a SIEM, enhancing the scope of threat analysis. Why Is Vulnerability Testing Important? Vulnerability testing is important for several reasons: 1. Comprehensive understanding of the attack surface Vulnerability testing enables organizations to have a better understanding of their systems, networks, and applications. This comprehensive view helps to identify potential weak points and entry points that attacker might exploit. 10 2. Adapting to evolving threats Cyber threats are constantly changing and evolving, with new vulnerabilities and attack vectors emerging regularly. Vulnerability testing helps organizations stay up-to-date with the latest security threats and take proactive measures to address them. 3. Reducing attack vectors By identifying and addressing vulnerabilities, organizations can reduce the number of potential attack vectors available to cybercriminals. This decreases the likelihood of a successful cyberattack and helps safeguard critical systems and data. 4. Enhanced security measures Vulnerability testing provides valuable information that can be used to improve security measures. This may include implementing new security controls, updating policies and procedures, or providing employee training on security best practices. 5. Continuous improvement Vulnerability testing is an ongoing process, which allows organizations to continuously monitor their systems and applications for new vulnerabilities. This iterative approach enables organizations to make necessary adjustments and improvements, ensuring their security posture remains strong over time. 6. Risk management Conducting vulnerability testing helps organizations understand and manage their security risks more effectively. By quantifying and prioritizing vulnerabilities based on their potential impact, organizations can make informed decisions about allocating resources and addressing risks. 7. Vulnerability Testing Methods Vulnerability testing methods can be broadly categorized based on the approach taken to identify vulnerabilities. Here’s an overview of active testing, passive testing, network testing, and distributed testing: Active Testing Active testing is a vulnerability testing method in which testers interact directly with the target system, network, or application to identify potential security weaknesses. It typically involves sending inputs, requests, or packets to the target and analyzing the responses to discover vulnerabilities. 11 Active testing can be intrusive and may cause disruptions or performance issues in the target system, but it is usually more effective in finding vulnerabilities than passive testing. Examples of active testing include: Port scanning to identify open ports and services running on a network. Fuzz testing, which involves sending malformed or unexpected inputs to applications to discover vulnerabilities related to input validation and error handling. Passive Testing Passive testing is a non-intrusive vulnerability testing method that involves observing and analyzing the target system, network, or application without directly interacting with it. Passive testing focuses on gathering information about the target, such as network traffic, configuration settings, or application behavior, to identify potential vulnerabilities. This method is less likely to cause disruptions or performance issues but may be less effective in finding vulnerabilities compared to active testing. Examples of passive testing include: Traffic monitoring to identify patterns or anomalies that may indicate security weaknesses. Configuration reviews to assess security settings and identify misconfigurations. Network Testing Network testing is a vulnerability testing method focused on identifying security weaknesses in network infrastructure, including devices, protocols, and configurations. It aims to discover vulnerabilities that could allow unauthorized access, eavesdropping, or Denial of Service (DoS) attacks on the network. Network testing typically involves both active and passive testing techniques to evaluate the network’s security posture comprehensively. Examples of network testing include: Scanning for open ports and services on network devices. Analyzing network protocols and configurations for security flaws. Distributed Testing Distributed testing is a vulnerability testing method that involves using multiple testing tools or systems, often deployed across different locations, to scan and analyze the target system, network, or application for vulnerabilities. 12 This approach can help provide a more comprehensive view of the target’s security posture, as it helps identify vulnerabilities that may be visible only from specific locations or under specific conditions. Distributed testing can also help distribute the load of vulnerability testing, reducing the impact on the target system and increasing the efficiency of the testing process. Examples of distributed testing include: Using multiple vulnerability scanners from different locations to scan a web application for potential security flaws. Coordinating a team of testers in different geographical locations to perform simultaneous network vulnerability testing. Vulnerability Testing Tools Vulnerability testing tools are software applications or services designed to help organizations identify and assess security weaknesses in their systems, networks, or applications. These tools automate the process of vulnerability testing, making it more efficient, accurate, and consistent. There are several types of vulnerability testing tools, including: Network vulnerability scanners: These tools scan networks for open ports, misconfigurations, and other security weaknesses. Web application vulnerability scanners: These tools are specifically designed to identify vulnerabilities in web applications, such as SQL injection, cross-site scripting (XSS), and broken authentication. Static application security testing (SAST) tools: Designed to analyze source code or compiled code to identify potential security vulnerabilities without executing the application. Dynamic application security testing (DAST) tools: Built to interact with running applications to identify security weaknesses during runtime. Fuzz testing tools: Generate and send malformed or unexpected inputs to applications to identify vulnerabilities related to input validation and error handling. Configuration management and compliance tools: These tools assess system and application configurations against established security best practices or compliance standards, such as CIS Benchmarks or PCI DSS. 13 Container and cloud security tools: These tools focus on identifying vulnerabilities and misconfigurations in cloud-based environments and containerized applications. Organizations often use a combination of these vulnerability testing tools to achieve a comprehensive assessment of their security posture. It is important to keep these tools up-to-date to ensure they can effectively detect and analyze the latest security threats and vulnerabilities. Types of Threats that Vulnerability Assessment Find Here are some of the most common types of threats that can be prevented through vulnerability assessment methods: 1. Malware Infections Malware infections are among the most common cyber threats, which can devastate organizations. Malware is typically delivered through attack vectors such as phishing emails, malicious websites, and software vulnerabilities. 2. Denial of Service (DoS) Attacks DoS attacks are a type of cyberattack that aims to overwhelm a targeted system or network with traffic or other resources, causing it to crash or become unavailable to legitimate users. Vulnerability assessment can identify vulnerabilities in the network or systems that attackers could exploit to launch DoS attacks. 3. Data Breaches Data breaches occur when attackers gain unauthorized access to sensitive data, such as personal information, financial data, or intellectual property. 4. Insider Threats Insider threats are threats that originate from within an organization. These threats could come from current or former employees, contractors, or business partners who can access an organization’s IT resources. Vulnerability assessment can identify vulnerabilities in applications, systems, and network devices that insiders could exploit to steal data or cause damage to an organization’s IT infrastructure. 14 5. Phishing Attacks Phishing attacks are a cyberattack that uses social engineering techniques to trick users into sharing sensitive information, such as login credentials or financial data. 6. Web Application Attacks Web application attacks are a cyberattack that target web application vulnerabilities, such as SQL injection or cross-site scripting (XSS) attacks. Application vulnerability assessment can identify vulnerabilities in web applications and help organizations prioritize patching these vulnerabilities. 15 Vulnerability Assessment Methodology Vulnerability Assessment steps include identifying the critical assets, performing in-depth security scans and pen tests, ranking the vulnerabilities in the descending order of risk posed and finally remediation. 1. Determine Critical and Attractive Assets The first step in vulnerability assessment is understanding your entire ecosystem and determining which networks and systems are more critical to your business operation. The attacker’s objectives might vary from your perspective. Review each asset from an attacker’s perspective and rank them based on attractiveness. 2. Conduct Vulnerability Assessment Actively scan your entire network or system through automated tools to identify security flaws and weaknesses. The critical and attractive assets should be termed “targets,” which requires further analysis, including testing with real-time scenarios to find and assess perceived security weaknesses. The assessments should rely on vendor vulnerability announcements, asset management systems, vulnerability databases, and threat intelligence feed. 16 The vulnerability assessment is complete if the overall network or system effectiveness meets the defined security requirements. If vulnerabilities are identified, you should proceed to the next phase. 3. Vulnerability Analysis and Risk Assessment The next phase in the vulnerability assessment methodology is identifying the source and root cause of the security weakness identified in phase two. It offers a coherent view of remediation. It involves assigning the severity score or rank to each susceptibility based on factors like. What data are at risk? Which network or system is affected? The severity of the possible attacks Ease of compromise Potential damage if an attack happens 4. Remediation The main objective of this phase is the closing of security gaps. For each identified vulnerability, determine the remediation actions. Certain remediation actions might include: Update all the configuration or operational changes Develop and implement vulnerability patches Implement new security measures, procedures, or tools 5. Mitigation Not all vulnerabilities can be resolved completely; this is where mitigation comes into play. Mitigation focuses on lowering the chances of a vulnerability being exploited or minimizing the impact of its exploitation. A practical approach, known as virtual patching, involves promptly applying a patch to the identified vulnerability without making any changes to the actual source code or components. This virtual patch creates a protective barrier that prevents malicious actors from exploiting the vulnerability, effectively buying time until a permanent patch or code fix can be implemented. 6. Re-Evaluate System with Improvements During this phase, the system’s security posture is reassessed using similar methods as the initial assessment, which may include vulnerability testing, penetration testing, code reviews, and other relevant techniques. The focus, however, is shifted toward determining whether the 17 previously identified vulnerabilities have been successfully mitigated or reduced to an acceptable level. The assessment also aims to identify any new vulnerabilities that have emerged due to the applied changes or configurations. 7. Report Results The final phase in the security vulnerability assessment methodology is reporting the assessment result understandably. The main goal of reporting is to clearly defining the system’s effectiveness and recommending potential solutions if the current security measure seems ineffective. A comprehensive vulnerability assessment report will include additional factors like: Which system is impacted? The level of simplicity in attacking or compromising the system The potential business consequences resulting from a successful breach Whether the vulnerability can be accessed via the Internet or demands physical proximity The age of the identified vulnerability Any regulatory obligations your organization adheres to The expense associated with a data breach in your specific industry 18 Penetration Testing & Social Engineering A penetration test (pen test) is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system. Penetration tests usually simulate a variety of attacks that could threaten a business. They can examine whether a system is robust enough to withstand attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system. Penetration testing serves as a pro-active measure to try identify vulnerabilities in services and organizations before other attackers can. Penetration testing can be offered within many areas, for example: Web applications: There are new web-applications developed and released. Network and Infrastructure: Many applications are not a web-application, but instead uses other protocols. These organization applications can reside both externally and internally. Inside testing / Infected computer simulation: What if a user receives malware on their system? This would be nearly equal to an attacker having hands-on-keyboard on that system, posing a serious risk to any organization. External Organizational Testing: A test which holds within the entire organization as scope for the penetration testers. This is ideal, but often involves having their own internal penetration testing team to focus on this long-term, or high costs involving hiring an external team to do this test. Stolen Laptop Scenario: Further described in our scenarios below. Client-Side Applications: Many applications exist in an enterprise written in different languages such as C, C++, Java, Flash, Silverlight or other compiled software. A penetration test could focus on these assets too. Wireless networks: A test which serves to figure out if the WIFI can be broken into, if devices have outdated and vulnerable software, and if proper segmentation has been built between the wireless network and other networks. Mobile applications (Android, Windows Phone, IOS): Mobile applications can have vulnerabilities in them, and also include connections and references to systems hosted inside the enterprise. Mobile applications can also hold secrets such as API keys which can easily be taken advantage of by attackers. 19 Social Engineering: Further described in our scenarios below. Phishing and Vishing: Further described in our scenarios below. Physical: A penetration testing team could try to see what happens if they show up at a location with a laptop and plugs into a network connection. Physical attacks can also include other kinds of covert attacks against locations. ICS ("Industrial Control Systems") / SCADA ("Supervisory Control and Data Acquisition"): These systems typically control some of the most vulnerable and critical assets in organizations, and as such they should receive scrutiny. Benefits of Penetration Testing Ideally, software and systems were designed from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well that aim was achieved. Pen testing can help an organization Find weaknesses in systems Determine the robustness of controls Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR) Provide qualitative and quantitative examples of current security posture and budget priorities for management No-knowledge, Partial-knowledge and Full-Knowledge Penetration testing Depending on the engagement, the organization can decide to give information to the team doing the penetration testing. A no-knowledge penetration, sometimes called a black-box, implies the attacker is given no-knowledge in advance. Partial-knowledge, sometimes called a grey-box test, means the attackers are given some knowledge, and with a full-knowledge penetration test, sometimes called white-box, the penetration testers have everything they need from source-code, network-diagrams, logs and more. The more information an organization can give the penetration testing team, the higher value the team can provide. 20 Stolen Laptop Scenario A great penetration test scenario is to prove the consequences of a stolen or lost laptop. Systems have privileges and credentials on them that attackers could use to get into the target organization. The system might be protected with a password, but there exist many techniques which may allow the attackers to bypass this protection. For example: The systems hard-drive might not be fully encrypted, allowing an attacker to mount the hard-drive on their own system to extract data and credentials. These credentials could in turn be cracked and re-used across many of the organization’s login pages. The user might have locked the system, but a user is still logged in. This user has applications and processes running in the background, even if it is locked. The attackers could try to add a malicious network card to the system via for example USB. This network card tries to become the preferred way for the system to reach the internet. If the system uses this network card, the attackers can now see the network traffic and attempt to find sensitive data, even change data. As soon as the attackers have access to the system, they can start to raid it for information, which can be used to further drive the attacker’s objectives. Social Engineering A system is only as strong as the weakest member, and that is often a human being. Social Engineering involves targeting users with attacks trying to fool them into doing actions they did not intend to. This kind of technique is very popular and many of the biggest hacks in the world has involved using social engineering techniques. Social Engineering often tries to abuse certain aspects to make victims comply with actions, for example: Most people have the desire to be polite, especially to strangers Professionals want to appear well-informed and intelligent If you are praised, you will often talk more and divulge more Most people would not lie for the sake of lying Most people respond kindly to people who appear concerned about them When someone has been victimized with a good social engineering attack, they often do not realize they have been attacked at all. 21 Social Engineering Scenario: Being Helpful Humans usually wants to be helpful to each other. We like doing nice things! Consider a scenario where Eve runs into the reception of a big corporate office with her papers soaked in coffee. The receptionist can clearly see Eve in distress and wonders what is going on. Eve explains that she has a job interview in 5 minutes and she really needs her documents printed out for the interview. In advance Eve has prepared a malicious USB stick with documents designed to compromise computers it is plugged into. She hands the receptionist the malicious USB stick and, with a smile, asks if the receptionist can print the documents for her. This might be what it takes for attackers to infect a system on the internal network, allowing them to compromise(pivot) more systems. Social Engineering Scenario: Using fear People often fear of failing or not do as order. Attackers will often use fear to try coerce victims into doing what the attackers need. They can for example try to pretend to be the company director asking for information. Perhaps a social media update revealed the director is away on vacation and this can be used to stage the attack. The victim probably does not want to challenge the director, and because the director is on vacation, it might be harder to verify the information. Social Engineering Scenario: Playing on Reciprocation Reciprocation is doing something in return, like a response to someone showing you kindness. If we consider someone holding the door for you to let you in the front-door of your office building. Because of this, you are likely to want to hold the next door for the person to reciprocate. This door might be behind access-control, needing employees to present their badges, but to offer the same kindness in return, the door is held open. This is called tailgating. Social Engineering Scenario: Exploiting Curiosity Humans are curious by nature. What would you do if you found a USB stick lying on the ground out-side the office building? Plug it in? What if the USB stick contained a document with the title "Salary Information - Current Updates"? 22 An attacker could deliberately drop many malicious USB sticks around the area where employees reside, hoping someone will plug them in. Documents can contain malicious macros or exploits, or simply trick users into performing certain actions which makes them compromise themselves. Phishing Phishing is a technique usually done through email. Attackers will try to coerce and trick employees into giving away sensitive details such as their credentials or have them install malicious applications giving attackers control of the system. Phishing is a common technique for attackers to break in, something penetration testers also might try to exploit. It is important to never underestimate the human factor in cyber security. As long as humans involved, phishing will always be a possible way for attackers to gain access to systems. Phishing should not be used to prove that humans make mistakes, but try prove the consequences of those mistakes. It can also be used to test the strength of anti-spam filters and user awareness. A campaign of many phishing attempts can be done instead of a single round. A campaign of multiple phishing rounds can help determine the overall awareness of the organization and also let them know that not only attackers are trying to trick our users, but even the security department. Vishing Vishing means to use phone calls to try get unsuspecting employees to perform actions for the attackers. If the employee believes they are in a phone call with someone they know, preferably someone with authority, the employee can be tricked to performed unwanted actions. Here is an example where Eve calls Alice: Eve: Hello, this is Miss Eve calling. I was told to call you personally by the CEO Margarethe; she said you would be able to help. Alice: Ok... What can I do for you? Eve: Margarethe is travelling right now, but urgently requests her password to be reset so we can get on with a business meeting happening the moment she lands. Eve: We urgently request for her email password to be reset so she can deliver the meeting. Eve: Can you proceed to reset her password to Margareth123? Alice: I am not sure... 23 Eve: Please, Margarethe asked for you personally to comply with this request. It must be done now, I don't want to think of the consequences if not... Alice: Ok. Password is reset Vishing could try get victims to do information disclosure revealing sensitive information. It could be an attacker asking for a copy of a sensitive document or a spreadsheet. Types of pen testing A comprehensive approach to pen testing is essential for optimal risk management. This entails testing all the areas in your environment. Web apps. Testers examine the effectiveness of security controls and look for hidden vulnerabilities, attack patterns, and any other potential security gaps that can lead to a compromise of a web app. Mobile apps. Using both automated and extended manual testing, testers look for vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Server-side vulnerabilities include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities. Networks. This testing identifies common to critical security vulnerabilities in an external network and systems. Experts employ a checklist that includes test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, and more. Cloud. A cloud environment is significantly different than traditional on-premises environments. Typically, security responsibilities are shared between the organization using the environment and the cloud services provider. Because of this, cloud pen testing requires a set of specialized skills and experience to scrutinize the various aspects of the cloud, such as configurations, APIs, various databases, encryption, storage, and security controls. Containers. Containers obtained from Docker often have vulnerabilities that can be exploited at scale. Misconfiguration is also a common risk associated with containers and their environment. Both of these risks can be uncovered with expert pen testing. 24 Embedded devices (IoT). Embedded / Internet of Things (IoT) devices such as medical devices, automobiles, in-home appliances, oil rig equipment, and watches have unique software testing requirements due to their longer life cycles, remote locations, power constraints, regulatory requirements, and more. Experts perform a thorough communication analysis along with a client/server analysis to identify defects that matter most to the relevant use case. Mobile devices. Pen testers use both automated and manual analysis to find vulnerabilities in application binaries running on the mobile device and the corresponding server-side functionality. Vulnerabilities in application binaries can include authentication and authorization issues, client-side trust issues, misconfigured security controls, and cross- platform development framework issues. Server-side vulnerabilities can include session management, cryptographic issues, authentication and authorization issues, and other common web service vulnerabilities. APIs. Both automated and manual testing techniques are used to cover the OWASP API Security Top 10 list. Some of the security risks and vulnerabilities testers look for include broken object level authorization, user authentication, excessive data exposure, lack of resources / rate limiting, and more. CI/CD pipeline. Modern DevSecOps practices integrate automated and intelligent code scanning tools into the CI/CD pipeline. In addition to static tools that find known vulnerabilities, automated pen testing tools can be integrated into the CI/CD pipeline to mimic what a hacker can do to compromise the security of an application. Automated CI/CD pen testing can discover hidden vulnerabilities and attack patterns that go undetected with static code scanning. 25 Penetrating Testing Report format A penetration test report provides a comprehensive summary of the system’s vulnerabilities. In addition, it includes recommendations for patching, hardening, and restricting the functionality of systems when necessary. The objective is to identify problem areas and implement a solution. Consider the following elements prior to writing a pen test report: Specify the objectives of penetration testing Understand the plausible effects of a breach Describe the assessment procedure and any pertinent techniques The following sections should be included in the penetration testing report: Executive summary – The pen testing report should begin with a summary of your findings geared towards company executives. This should be written in a non-technical language so that non-security professionals can comprehend the significance of the discovered vulnerabilities and what the organisation must do to fix them. Details of discovered vulnerabilities – Describe the vulnerabilities discovered, how they were discovered, and how an adversary can exploit them. Testers need to keep it concise and, if possible, use language that security professionals, developers, and non-technical roles can comprehend. Impact on the business – Now that it is evident which vulnerabilities exist, testers must analyse their effect on the business. It is best to use the Common Vulnerability Scoring System (CVSS) to rank the severity of the vulnerabilities, and explain which critical systems each vulnerability affects. It is also best to provide a technical walkthrough of the impact if the vulnerability is exploited on the specific organization. For instance, when performing penetration testing on a financial application, describe what each vulnerability would enable attackers to do. What particular files would they be able to view, and what operations would be permitted? They might be able to conduct financial transactions. It is essential for decision-makers to comprehend this in order to effectively manage remediation efforts. Exploitation difficulty – In this section, testers provide additional information on how they discovered and exploited each flaw. They provide a distinct rating for exploitability, such as Easy, Medium, or Hard. In conjunction with the severity of the vulnerabilities, the organisation can use this information to prioritize repairs. 26 Remediation recommendations – The most essential aspect of a pen testing report is its remediation recommendations, which explain to the organisation how to fix the vulnerabilities you discovered. The primary reason a company invests in penetration testing is to determine how to address its most serious vulnerabilities. Testers must provide detailed remediation instructions for all affected systems. To improve the efficacy of the recommendations, testers should conduct research to determine the most effective solution for each situation. For instance, one system’s vulnerability can be readily patched, whereas another system may not support patching and must be isolated from the network. Strategic recommendations – This is beyond addressing the specific vulnerabilities, advising the organisation on how to enhance its security practices. For instance, if the organisation did not detect the penetration test, suggest that they implement a more effective monitoring strategy. If testers observe that the organisation grants user accounts excessive privileges, suggest a more effective access control strategy. Security Auditing Security auditing is a scientific exam of an organization's information systems, policies, and methods to become aware of vulnerabilities, examine protection controls, and ensure compliance with protection standards and practices. It aims to evaluate the integrity, confidentiality, and availability of information, as well as the general safety posture. It is also called a cybersecurity audit, which checks your organization computer systems to make sure it is safe. It looks at things like industry standards and government rules to know if your systems meet the right security levels. This audit will check the different parts of your security controls, including the following: Network vulnerabilities: Weaknesses in your network's security, including access and firewall settings. Human dimension: How people handle sensitive information, like sharing and storing it. Organization's security strategy: Policies, charts, and assessments related to security. Physical component is a part of your system and where it is located. 27 Applications and software are Programs and updates installed by system administrators. Security auditing is an important part of security for trying out. While security testing measures in actively focus on the faults and threats, security auditing gives an overview of an organization's safety practices. It compresses diverse audits to ensure that safety features are in location, up to date, and effective. Main Purpose of a Security Audit A security audit helps to find out where organization's security is weak and if it meets standards or not. It is like a map showing what needs to be fix and what is okay. Security audits are really important for making the plans to manage risks and keep measure the data safe. The significance of safety auditing can't be overstated: 1. Risk Mitigation: Auditing enables the identification of vulnerabilities and weaknesses in security controls, permitting agencies to proactively cope with capability risks. 2. Compliance: Many industries require compliance with particular security requirements and regulations. Auditing guarantees that agencies meet those necessities. 3. Data Protection: Protecting sensitive information is important. Auditing facilitates identifying gaps in statistics safety measures. 4. Incident Response: In the event of a security incident, audits provide a treasured reference factor for investigation and healing. 5. Trust Building: Demonstrating a commitment to protection through everyday auditing builds agreement with customers, companions, and stakeholders. Types of Security Audit Different types of security auditing can be performed depending on the focus area, the level of detail, and the approach used by the auditor. Some common types of security auditing are: 28 1. Configuration Audit A configuration audit is a kind of protection audit that verifies the settings and parameters of the gadget or community components, consisting of hardware, software, firewalls, routers, switches, servers, and so on. A configuration audit goal is to make certain that the configuration of the system or network is regular, steady, and compliant with the proper practices and requirements. 2. Vulnerability Audit A vulnerability audit is a sort of protection audit that identifies and evaluates the potential weaknesses and flaws in the gadget or network that could be exploited by attackers. A vulnerability audit uses various gear and techniques, which include scanners, penetration trying out, code evaluation, and so on., to find out and check the vulnerabilities. A vulnerability audit additionally provides hints for mitigating or getting rid of the vulnerabilities. 3. Compliance Audit A compliance audit is a type of security audit that verifies the adherence of the system or community to the relevant security regulations, laws, and policies A compliance audit aims to ensure that the system or community meets the criminal and moral necessities and requirements imposed through the government, along with authority groups, industry bodies, certification agencies, and so on. 4. Performance Audit A performance audit is a sort of safety audit that measures and evaluates the efficiency and effectiveness of the safety controls and processes applied with the aid of the system or community. Steps of Security Auditing Process The security audit process generally consists of the following steps: Security Auditing Process 1. Planning This is where the foundation is laid. First, we define what we are going to determine and establish the purpose and scope of the audit. We set clear targets and created a plan that outlines how we're going to proceed. 29 2. Data Collection With the statistics in hand, we dive into an intensive evaluation. We're seeking out weaknesses, vulnerabilities, and regions wherein security won't be up to par. For each problem, we determine the ability dangers and prioritize them based totally on their potential effect and likelihood. 3. Analysis Once we've assessed the whole thing, we put together a detailed audit file. This is where we summarize our findings, outlining the recognized vulnerabilities and weaknesses. We do not simply highlight the troubles; we additionally provide realistic guidelines for improvement, and we return our findings with proof and helpful documentation. 4. Reporting Once we've got assessed the whole lot, we prepare an in-depth audit document. This is wherein we summarize our findings, outlining the recognized vulnerabilities and weaknesses. We do not simply spotlight the problems; we also offer sensible pointers for improvement, and we again our findings with evidence and assisting documentation. 5. Remediation The very last degree is all about motion. We work carefully with the organization to implement the vital changes and enhancements that we've advocated in the audit record. This frequently means addressing the maximum crucial troubles first and setting a clear timeline for completing the essential modifications. Best Practices for Safety Assessment Consider these best practices for an effective security audit: 1. Regular audits: It's like going for everyday tests in U.S.A. with your doctor. Perform audits constantly. This allows you to be proactive in identifying and addressing new safety threats that might pop up at any time. 2. Documentation: Just like preserving a magazine of your experiences, retaining accurate facts about your audit findings is vital. Document what you find out, the movements you take, and the development made. This ensures you have a clear record of your protection adventure. 3. Training: Think of your audit team as athletes in schooling. Ensure your audit groups are nicely prepared and up to date with contemporary safety practices and 30 technologies. It's like giving them the right gear and capabilities to tackle any challenges that come their way. 4. Continuous Improvement: Imagine your security audit process as a satisfactory- tuned machine. Use your study's findings to make continuous enhancements to your protection processes. It's all approximately studying from your experiences and getting better at what you do. 31 Attack surface An attack surface is all the points of entry and vulnerabilities an attacker can exploit to infiltrate a network or a system. It is essentially like all the doors and windows in a house — the more doors and windows a house has, the more potential entry points for a break-in. Understanding a network’s attack surface is critical — by knowing where the vulnerabilities are and monitoring it accordingly, an organization can reduce their attack surface and make it much harder for attackers to penetrate and compromise systems. Attack surface versus an Attack vector An attack surface is different from an attack vector. An attack vector is the method - the way for attackers to enter a network or a system. For example, common attack vectors include social engineering attacks, credential theft, vulnerability exploits, and insufficient protection against insider threats, while the attack surface are all the different entry points attackers can use to launch an attack. Components of an attack surface Attack surface components are the elements within a network that can be targeted or exploited. There are three main components of an attack surface — digital, physical, and social. Digital attack surface includes networks and services, such as ports, codes and wireless connections. Physical attack surface includes endpoint devices like USB ports and laptops. Social engineering attack surface refers to targeting personnel or employees such as phishing or ransomware attempts. Attack surface management Attack surface management is a critical part of maintaining a robust cybersecurity posture, and incorporates actively identifying, accessing, and reducing vulnerabilities within an organization’s network to reduce attack surfaces and minimize risks of breaches. For example, an attack surface management for a computer system starts with identifying all the entry points that a hacker can get access to, such as software vulnerabilities, weak passwords, or network connections. Once the entry points are identified, security personnel analyze the vulnerabilities and implement strategies to reduce risk, such as updating software, enhancing authentication methods, or configuring firewalls. 32 How an organization can reduce attack surface There are many strategies an organization can implement to reduce their attack surface, including, but not limited to: Regular vulnerability assessment and penetration testing to identify system weakness and keeping software and operating systems up to date with the latest security patches Implementing a Zero Trust strategy that limits access to only the most essential functions or personnel Fuzz Testing Fuzz Testing is a Software Testing technique that uses invalid, unexpected, or random data as input and then checks for exceptions such as crashes and potential memory leaks. It is an automated testing technique that is performed to describe the system testing processes involving randomized or distributed approaches. During fuzz testing, a system or software application can have a lot of different bugs or glitches related to data input. Barton Miller at the University of Wisconsin in 1989 first developed fuzz testing, also known as fuzzing, which is a type of software testing that involves providing invalid, unexpected, or random data as inputs to a system to identify potential security vulnerabilities or crashes. The goal of fuzz testing is to identify issues that can be exploited by an attacker, such as buffer overflows, SQL injection, or other types of input-validation issues. Fuzz testing can be done in a variety of ways, including: File fuzzing: providing random or malformed data as inputs to a file-parsing function to identify issues such as buffer overflows or other memory-corruption issues. Network fuzzing: sending malformed or unexpected data as inputs to a network protocol to identify issues such as denial of service (DoS) attacks or other security vulnerabilities. API fuzzing: sending random or unexpected data as inputs to an application programming interface (API) to identify issues such as input validation issues or other security vulnerabilities. Fuzz testing is an important aspect of software testing, as it can help to identify potential security vulnerabilities that may not be apparent during functional or unit testing. It can also help to identify issues that may not be immediately apparent during functional testing, such as memory leaks or other performance issues. 33 It is essential to note that fuzz testing may require specialized tools and test environments and that it’s often a costly and time-consuming process. Additionally, it may require a thorough understanding of the system’s architecture, protocols, and data format. Phases of Fuzz Testing 1. Identify Target System: The system or the software application which is going to be tested is marked. That system is known as the target system. Target system is identified by testing team. 2. Identify Inputs: Once the target system is set after that the random inputs are created for the purpose of the testing. These random test cases are used as inputs to test the system or software application. 3. Generate Fuzzed Data: After getting the random inputs i.e. unexpected and invalid, these invalid and unexpected inputs are converted into the fuzzed data. Fuzzed data is basically random input in form of fuzzy logic. 4. Execute the test using fuzzed data: Now using the fuzzed data testing process is performed. Basically, the code of program or the software is executed by giving the random input i.e. fuzzed data. 5. Monitor System Behaviour: After the execution of the system or the software application, operated for crashes or any other exceptions like potential memory leaks. System behaviour is tested under the random input. 6. Log Defects: In the last phase defects are identified, and these defects are fixed in order to get the better-quality system or software application. Types of Fuzz Testing There are many types of Fuzz testing, two major categorization of fuzz testing are – 1. Coverage-guided fuzz testing – In order to find flaws, coverage-guided fuzz testing examines the source code while the application is operating, probing it with arbitrary challenges. The objective is to cause the program to crash, and new tests are generated continuously. A crash indicates a possible issue, and information gathered during the coverage-guided fuzz testing process can be used to replicate the crash, which is useful in locating code that may be at risk. 2. Behavioral Fuzz testing – Behavioral fuzzy testing operates in a distinct way. When an application’s specs demonstrate how it should function, random inputs are used to evaluate how well it really performs; defects or other possible security issues are typically discovered in the gaps between expectations and reality. Some other types of fuzz tests are- 1. Mutation Fuzzing – To evaluate the robustness of the program, it randomly modifies valid input data by flipping bits, adding or removing characters, or making small adjustments. 2. Web fuzzing – It is the process of applying fuzzing techniques to web applications through the use of manipulated URL parameters, forms, or HTTP requests. 3. Generation Fuzzing – It starts with zero input data and frequently generates it according to the target’s input requirements. 4. Smart Fuzzing – It employs sophisticated algorithms to direct and prioritize the fuzzing process, resulting in a more effective bug finding procedure. 5. Protocol fuzzing – It involves providing unexpected or erroneous data packets to test network protocols and communication. 34 Patch Management Patch management is an infrastructure management activity where IT admins or operations managers must identify and prioritize patching needs, obtain and test these patches or fixes, and deploy them to update, improve, or repair existing code. Patch management is part of systems management that deals with locating, obtaining, testing, and installing patches or updates to the code, which are meant to rectify errors and plug security gaps. It includes keeping up with newly released patches, selecting the ones required for particular software and hardware, testing the fixes, verifying their installation, and documenting the process. It is mainly managed by enterprise IT professionals, although DevOps teams may sometimes participate in the process. Operating systems, applications, and embedded devices frequently need fixes (like network equipment). A patch can be used to correct vulnerabilities that are discovered after a piece of software has been released. Doing this may ensure that none of the resources in your ecosystem are open to exploitation. Software patches assist in resolving issues that were not initially apparent. Patches primarily address security issues, while some also address a particular program’s functionality. Computers install patches as little installation packages or files. Additionally, it makes it simpler to confirm that devices are using the most recent software releases. Windows and Mac management are not complete without patch management. A “patch” is a specific update or group of updates offered by software developers to address technical problems or known security flaws. Developers may also include new features and functions for the application with patches. It’s vital to keep in mind that patches are frequently temporary fixes meant to be used up until the following major program release. With the aid of some patch management systems, the entire process can be automated, from the identification of missing patches to the operation of patch deployment to the endpoints. A centralized patch management server streamlines the whole procedure. With centralized patch management, you can apply both Microsoft and third-party software patches from a single point of control. This aids in lowering system-related errors, which boosts productivity. Importance of Patch Management 1. Enhances security Security should never be taken lightly, mainly if your company deals with data protected by federal or state legislation. A missing patch is among the most frequent reasons for a security lapse. You can prevent this by actively managing the fixes required to “shore up” vulnerable areas that hackers could exploit. All operating systems, including cloud and third-party platforms, allow for this. Patching vulnerabilities regularly aids in managing and lowering the risk in your environment. This shields your company from unexpected security lapses. 2. Supports Bring your own devices (BYOD) Allowing employees to bring their own devices to work (BYOD) is becoming increasingly popular among organizations. It can increase employee productivity and save businesses money by eliminating the need to buy gadgets for their employees. BYOD can be as convenient as it is a security-related nightmare. No matter where an employee uses a device—in the office or on the job—patches management will keep it safe. 35 3. Prevents interruptions in productivity If a patch is absent, systems and even computers can crash. The result is a decrease in production. It sometimes even has the power to shut down the entire company, which can be detrimental to its bottom line. Enterprises can avoid system crashes through patch management. Thus, productivity remains high, and workers continue to work. Keeping your systems and programs up to date will reduce the number of issues and any downtime you might experience due to patches not being implemented correctly or at all. A patch will increase productivity by ensuring that your systems are running the most recent software. Cyberattacks like ransomware can completely shut down your company. Functional bugs can also bring on system outages. 4. Detects outdated software Your current operating system or software will eventually become outdated, and you’ll notice that you’re not getting any patches. There are many potential causes for this, including; The corporation will soon release a new version of the software. The software’s developer is no longer in business. The software provider has stopped providing technical support. Any software that needs to be updated before it poses a security risk will be found through patch management. 5. Provisions timely feature updates Patch management is crucial for many reasons than just fixing bugs and vulnerabilities. A patch can also improve the functionality of the software or system. Patches can also include updated or new features that boost output and make the system function more efficiently. The prevalence of cloud software available via subscription has led to an increase in feature updates. 6. Drives innovation Since the digital world is evolving daily, keeping up with the most recent technologies and updates is crucial. Patch management will help you ensure that you have the most recent software with the most up-to-date features that could help your business. You can apply patches to provide your technology with new features and functionality. This can allow your business to implement your most recent software advancements widely. 7. Enforces compliance There are cybersecurity laws in existence that mandate that companies and organizations dealing with personally identifiable information adhere to the mentioned standards. The Gramm-Leach- Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) are two examples. Businesses violating the law or having experienced a security breach may be subject to fines or imprisonment. As cyber threats grow, laws are becoming more stringent, and businesses must adhere to the best practices for information security. Patching your systems will help you avoid regulatory penalties and fines. Failure to comply could subject your company to legal repercussions. Patch management guarantees that you adhere to these criteria. 8. Protects remote workers In today’s environment, businesses encourage remote work, and most employees work remotely at least occasionally. Patch management can therefore be incorporated as a component of a remote workforce support solution to safeguard all the devices used by your business, wherever they may be. Ultimately, patch administration is essential for your enterprise. It keeps all devices and software up to date, eliminates system crashes, and ensures the seamless operation of your company. 36

System Vulnerabilities Assessment and Testing CYB 403 PDF

Document Details

Tags

Related

Summary

Full Transcript