Security Assessment Techniques

• Identifying vulnerabilities and threats is key to maintaining organizational

security.
• In addition to identifying vulnerabilities, organizations need an approach to
assess threats against their systems.
• In the past, organizations could use Security Information Management
(SIM) system, which efficiently stores and analyses log data across all
networks, devices, and applications.
• Then, in addition, the data needed to be analysed in real time to provide
correlation across events and enable alerts and reporting.
• Security event management (SEM) was the solution in this case.
• SIM and SEM were eventually combined into what’s known today as
security information and event management (SIEM).
Penetration Testing Techniques
• Penetration testing, also known as pen testing is an authorized cyberattack
performed to evaluate computer system security.
• It is used as part of an organization’s information security program to
better understand the systems.
• Pen tests often incorporate real-world attacks to identify methods and
weaknesses in the systems.
• Penetration test results can be valuable. For example, they;
▪ Help organizations better understand how their systems tolerate real-world attacks.
▪ Help an organization allocate resources properly.
▪ Help quickly identify areas of weakness that need to be strengthened.
▪ Help an organization to measure its responses.
• Penetration testing should always be performed within a defined
program of governance that involves senior management.
• Penetration testing can be conducted using various techniques,
classified as follows:
▪ Black box (unknown environment): In a black box test, the assessor has no
knowledge of the inner workings of the system or the source code. The
assessor simply tests the application for functionality as if he or she were a
regular user of the system.
▪ White box (known environment): White box testing, also called clear box or
glass box testing, provides more transparency than black box testing. In white
box testing, the assessor has knowledge of the inner workings of either the
system or the source code.
▪ Gray box (partially known environment): Gray box testing combines white
and black box techniques. Think of this approach as translucent: The tester has
some understanding or a limited knowledge of the inner workings.
• Black box testing consumes less time and is less exhaustive than white
box testing, and gray box testing falls in between.
Comparison between unknown, known and partially
known penetration testing environments.
• Penetration testing includes the following components:
▪ Verifying that a threat exists: A penetration test seeks to exploit
vulnerabilities. Before you can exploit a vulnerability, you must first
understand the threat and its extent.
▪ Bypassing security controls: Penetration tests should seek to bypass security
controls, just as a real attacker would. For example, bypassing firewalls
through the use of a rogue wireless access point or modem. Another common
method of bypassing security controls is to render them ineffective.
▪ Actively testing security controls: Active techniques include direct interaction
with a specific target. Passive techniques seek to identify gaps that could lead
to missing or misconfigured security controls. Active techniques, on the other
hand, seek to identify whether controls are implemented properly.
▪ Exploiting vulnerabilities: Unlike vulnerability scanning, penetration testing
does not just check for the existence of a potential vulnerability but attempts
to exploit it. A resulting exploit verifies the vulnerability and should lead to
mitigation techniques and controls to deal with the security exposure. Most
exploited vulnerabilities are likely to result from misconfigurations, kernel
flaws, buffer overflows, input validation errors, and incorrect permissions.
Phases of a penetration test
• Careful planning is required before conducting penetration testing.
• A penetration test involves four primary phases: planning, discovery,
attack, and reporting.
Planning
• The planning phase does not involve actual testing.
• Its purpose is to set expectations and provide clarity regarding the
plan and goals.
• This phase is an important part of the overall process because of the
risks of penetration tests.
• The planning phase is the time to clearly define the rules of
engagement.
• An important output of this phase is a documented plan that includes
the rules and expectations.
Discovery
• Discovery consists of two fundamental areas: information gathering
and scanning and vulnerability analysis.
• Information gathering and scanning involve conducting
reconnaissance on the target through observation and other outside
discovery tools.
• reconnaissance is considered either passive or active.
• Passive techniques are less risky than active ones because they do not
require actively engaging with the targeted systems.
Attack
• During the attack phase, the tester tries to gain access or penetrate the system.
• The idea is to at least perform an initial exploitation, even if it does not reveal the
ultimate goal or data of value.
• During this initial exploitation, the tester commonly has only regular user access
and does not have access to high value areas.
• However, this initial exploit provides the opportunity for the penetration tester to
execute privilege escalation.
• From there, the tester can likely begin to gain further access deeper into the
network, in a process known as lateral movement.
• Moving laterally requires pivoting.
• Throughout these pivots, the tester might try to install additional tools. This
process is called persistence.
• Finally, the last step is cleanup.
Reporting
• Reporting is an important component of a penetration test.
• After any penetration test, a comprehensive report should be
delivered that includes, at a minimum,
▪ vulnerabilities identified,
▪ actions taken, and the results,
▪ mitigation techniques, and
▪ some sort of quantification of the risk.