Detection at a glance
The early detection of cyber threats has long been one of the biggest goals for the IT security sector. The rapid evolution of the different types of cyber-attacks has rendered the traditional detection systems helpless to differentiate between, and detect, attack such as advanced persistent threats (APT), which are digital attacks directed at certain systems over a large period of time. Risk assessment process does a thorough testing of existing business criticality to protect on prior base. Two broad areas of risk assessment and detection of risk are vulnerability assessment and penetration testing.
Vulnerability management is the process of identifying, evaluating, treating and reporting on security vulnerabilities in systems and the software that runs on them. Security vulnerabilities in turn, refer to technological weaknesses that allow attackers to compromise a product and the information it holds. This process needs to be performed continuously in order to keep up with new systems being added to networks, changes that are made to systems and the discovery of new vulnerabilities over time.
Vulnerability management software can help to automate this process. They’ll use a vulnerability scanner and sometimes endpoint agents to inventory, a variety of systems on a network and find vulnerabilities on them. Once vulnerabilities are identified, the risk they pose needs to be evaluated in different contexts so decisions can be made about how to best treat them. For example, vulnerability validation can be an effective way to contextualize the real severity of a vulnerability.
The vulnerability management process can be broken down into four steps as follows:
Step 1: Identifying Vulnerabilities
At the heart of a typical vulnerability management solution is a vulnerability scanner. The scan consists of four stages:
- Scan network-accessible systems by pinging them or sending them TCP/UDP packets
- Identify open ports and services running on scanned systems
- If possible, remotely log in to systems to gather detailed system information
- Correlate system information with known vulnerabilities
Vulnerability scanners are able to identify a variety of systems running on a network such as laptops and desktops, virtual and physical servers, databases, firewalls, switches, printers, etc. Identified systems are probed for different attributes: operating system, open ports, installed software, user accounts, file system structure, system configurations and more. This information is then used to associate known vulnerabilities to scanned systems. In order to perform this association, vulnerability scanners will use a vulnerability database that contains a list of publicly known vulnerabilities.
Properly configuring vulnerability scan is an essential component of a vulnerability management solution. Vulnerability scanners can sometimes disrupt the networks and systems they scan. If available network bandwidth becomes very limited during an organization’s peak hours, then vulnerability scans should be scheduled to run during off hours.
If some systems on a network become unstable or behave erratically when scanned, they might need to be excluded from vulnerability scans or the scans may need to be fine-tuned to be less disruptive. Adaptive scanning is a new approach to further automating and streamlining vulnerability scans based on changes in a network. For example, when a new system connects to a network for the first time, a vulnerability scanner will scan just that system as soon as possible instead of waiting for a weekly or monthly scan to start scanning that entire network.
Vulnerability scanners aren’t the only way to gather system vulnerability data anymore, though. Endpoint agents allow vulnerability management solutions to continuously gather vulnerability data from systems without performing network scans. This helps organizations maintain up-to-date system vulnerability data whether or not for example; employees’ laptops are connected to the organization’s network or an employee’s home network.
Regardless of how a vulnerability management solution gathers the data, it can be used to create reports, metrics and dashboards for a variety of audiences.
Step 2: Evaluating Vulnerabilities
After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an organization’s risk management strategy. Vulnerability management solutions provide different risk ratings and scores for vulnerabilities such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling organizations which vulnerabilities they should focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings and scores.
Here are some examples of additional factors to be considered while evaluating vulnerabilities:
- Is this vulnerability true or false?
- Could someone directly exploit this vulnerability from the Internet?
- How difficult is it to exploit this vulnerability?
- Is there known, published exploit code for this vulnerability?
- What would be the impact to the business if this vulnerability were exploited?
- Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
- How old is the vulnerability/how long has it been on the network?
Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability detection, false-positive rates while low, are still greater than zero. Performing vulnerability validation with penetration testing tools and techniques helps to weed out false-positives so that organizations can focus their attention on dealing with real vulnerabilities. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations that thought were secure enough or that the vulnerability wasn’t that risky.
Step 3: Treating Vulnerabilities
Once a vulnerability has been validated and deemed a risk, the next step is prioritizing how to treat that vulnerability with original stakeholders to the business or network. There are different ways to treat vulnerabilities, including:
- Remediation: Fully fixing or patching a vulnerability so it can’t be exploited. This is the ideal treatment option that organizations strive for.
- Mitigation: Lessening the likelihood and/or impact of a vulnerability being exploited. This is sometimes necessary when a proper fix or patch isn’t yet available for an identified vulnerability. This option should ideally be used to buy time for an organization to eventually remediate a vulnerability.
- Acceptance: Taking no action to fix or otherwise lessen the likelihood/impact of a vulnerability being exploited. This is typically justified when a vulnerability is deemed a low risk and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.
Vulnerability Management Solutions provide recommended remediation techniques for vulnerabilities. Occasionally a remediation recommendation isn’t the optimal way to remediate vulnerability. In those cases, the right remediation approach needs to be determined by an organization’s security team, system owners and system administrators. Remediation can be as simple as applying a readily-available software patch or as complex as replacing a fleet of physical servers across an organization’s network.
When remediation activities are completed, it’s best to run another vulnerability scan to confirm that the vulnerability has been fully resolved.
However, not all vulnerabilities need to be fixed. For example, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their computers but they completely disabled Adobe Flash Player from being used in web browsers and other client applications, then those vulnerabilities could be considered sufficiently mitigated by a compensating control.
Step 4: Reporting vulnerabilities
Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their vulnerability management program over time. Vulnerability Management Solutions typically have different options for exporting and visualizing vulnerability scan data with a variety of customizable reports and dashboards. Not only does this help IT teams easily understand which remediation techniques will help them fix the most vulnerabilities with the least amount of effort or help security teams monitor vulnerability trends over time in different parts of their network, but it also helps support organizations’ compliance and regulatory requirements.
Staying Ahead of Attackers through Vulnerability Management
Threats and attackers are constantly changing just as organizations are constantly adding new mobile devices, cloud services, networks and applications to their environments. With every change comes the risk that a new hole has been opened in the network allowing attackers to slip in and walk out with the crown jewels.
Every time to get a new affiliate partner, employee, client or customer; the organization opens up to new opportunities, but also exposing it to new threats. Protecting the organization from these threats requires a Vulnerability Management Solution that can keep up with and adapt all of these changes to be a step ahead of the attackers always.
Penetration testing is designed to assess the security before an attacker does. Penetration testing tools simulate real-world attack scenarios to discover and exploit security gaps that could lead to stolen records, compromised credentials, intellectual property, personally identifiable information (PII), cardholder data, personal, protected health information, data ransom or other harmful business outcomes. By exploiting security vulnerabilities, penetration testing helps to determine how to mitigate best and protect the vital business data from future cybersecurity attacks.
It seems like every day dawns with a new headline regarding the latest cybersecurity attack. Hackers continue to steal millions of records and billions of dollars at an alarming frequency. The key for combating their effort is to conduct thorough penetration tests throughout the year.
How to Exploit Vulnerabilities?
Penetration testing can either be done in-house by your own experts using pen testing tools or you can outsource to a penetration testing services provider. A penetration test starts with the security professional enumerating the target network to find vulnerable systems and/or accounts. This means scanning each system on the network for open ports that have services running on them. It is extremely rare that an entire network has every service configured correctly, properly password protected and fully patched. Once the penetration tester has a good understanding of the network and the vulnerabilities that are present, he/she will use a penetration testing tool to exploit a vulnerability in order to gain unwelcomed access.
Security professionals do not just target systems, however. Often, a pen tester targets users on a network through phishing emails, pre-text calling or onsite social engineering.
How Do You Test the “User Risk” to Your IT Security Chain?
Users present an additional risk factor as well. Attacking a network via human error or compromised credentials is nothing new. If the continuous cybersecurity attacks and data breaches have taught us anything, it’s the easiest way for a hacker to enter a network and steal data or funds that is still through network users.
Compromised credentials are the top attack vector across reported data breaches year after year, a trend proven by the Verizon Data Breach Report. Part of a penetration test’s job is to resolve the aforementioned security threat caused by user error. A pen tester will attempt brute-force password guessing of discovered accounts to gain access to systems and applications. While compromising one machine can lead to a breach, in a real-life scenario an attacker will typically use lateral movement to eventually land on a critical asset.
Another common way to test the security of the network users is through a simulated phishing attack. Phishing attacks use personalized communication methods to convince the target to do something that’s not in their best interest. For example, a phishing attack might convince a user that it’s time for a “mandatory password reset” and to click on an embedded email link. Whether clicking on the malicious link drops malware or it simply gives the attacker the door they need to steal credentials for future use, a phishing attack is one of the easiest ways to exploit network users. If you are looking to test your users’ awareness around phishing attacks, make sure that the penetration testing tool you use has these capabilities.
What Does Penetration Testing Mean to a Business?
A penetration test is a crucial component to network security. Through these tests a business can identify:
Security vulnerabilities before a hacker does
Gaps in information security compliance
The response time of the information of security team, i.e. how long it takes the team to realize that there is a breach and mitigate the impact
The potential real-world effect of a data breach or cybersecurity attack
Actionable remediation guidance
Through penetration testing, security professionals can effectively find and test the security of multi-tier network architectures, custom applications, web services and other IT components. These penetration testing tools and services help you gain fast insight into the areas of highest risk so that you may effectively plan security budgets and projects. Thoroughly testing the entirety of a business’s IT infrastructure is imperative to taking the precautions needed to secure vital data from cyber security hackers while simultaneously improving the response time of an IT department in the event of an attack.
- Asset Categorization
- Identification of Potential Threats
- Information Security Maturity Assessment
- Privacy Impact Assessment
Web Application Testing
- Security Testing Methodologies and Standards
- OWASP Top 10
- UDP Flood Testing
- SYN Flood Testing
- ICMP Flood Testing
- Slowloris Testing
- HTTPS Flood Testing
- NTP Amplification Testing
- Targeted Testing
- External Testing
- Internal Testing
- Black Box Testing
- Grey Box Testing
- White Box Testing
Network Related Services
- Identity and Access Management
- Creating Password Policies
- Enabling 2-Factor Authentication Systems
- Defining IAM Framework
- Network Management
- Analytics and Visibility
- Secure Connectivity (Remote Access VPN and Site-to-Site)
- Threat Defense for Branch Networks
- NAC (Certificates, SAF Access, Private Keys, Remote Management)
- Evaluation of Existing Architecture, Security Policies and Practies
- Documentation Review
- Workstation Operating Environments Review
- Current Systems Configurations and Security Policies Review
- Business Systems Security Review
- Data Security and Records Management
- Recovery Practices and Backups
- Current Threat Management Systems Review
- Operational and Physical Environment Review
- Emergency Response Readiness
- Firewall Configuration Audit
- Firewall Checklist
- Comprehensive Firewall Configuration Review
- Email Protection
- Identity and Access Management
- Data Security
- User Security
- Web Defense
Wireless Security Testing
- Wireless Data Collection
- Wi-Fi MAC Analysis and Testing
- Wireless Tools and Information Testing
TO MONITOR REALTIME