US National Institute of Standards and Technology (NIST) ( https://nvd.nist.gov/ncp/repository)
International Organization for Standardization (ISO/IEC 27000 Family – Information Security management systems) https://www.iso.org/isoiec-27001-information-security.html
PCI Security Standard Council which published Payment Card Industry Data Security Standards (PCI DSS) https://www.pcisecuritystandards.org/
Vulnerability Assessment
Vulnerability assessment is the process of defining, identifying and classifying security vulnerabilities in an IT system.
vulnerability types:
Authentication Vulnerability.
Authorization Vulnerability.
Input Validation Vulnerability.
The main difference between Vulnerability Assessment and Penetration testing is that in the Vulnerability Assessment no exploitation and post exploitation is done, and you don’t know whether the finding is false-positive or true-positive.
Vulnerability Assessment Steps:
Identifying assets and building asset inventory.
Categorizing assets into groups.
Scanning assets for vulnerabilities.
Ranking risks.
Patch Management.
Follow-up remediation scans
Vulnerability Assessment Tools:
Qualys
Nessus – Tenable Security (they have free community edition with limited functionality)
Nexpose – Rapid 7 (they have free community edition with limited functionality)
OpenVas (Free and Open Source)
Security Terms
Asset
Asset is people, property or information that we are trying to protect. People include employees, contractors and customers. Property include tangible and intangible items that can have value, intangible assets include reputation as well as proprietary information. Information include Databases, software code, critical company record and many other intangible items, in short, an asset is what we are trying to protect.
Threat
Threat is anything that that can exploit a vulnerability intentionally or accidently and obtain, destroy an asset, in other words threaten what we are trying to protect against.
Vulnerability
Vulnerability is a weakness or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerability is a weakness or gap in our protection efforts.
Risk
Risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of Assets, threats and vulnerabilities.
Why it is so important to understand the distinction between these terms? because you won’t understand the full extent of the risk to the asset otherwise.
When conducting a risk assessment, the formula used is:
Asset (A) + Threat (T) + Vulnerability (V) = Risk (R).
Exploit
Exploit is a piece of software or a sequence of commands that takes advantage of a vulnerability to cause unintended or unanticipated behavior to occur on computer software or hardware. An exploit is an attack on a computer system specially when it takes advantage of a vulnerability the system has or is known for. Exploit is the act of successfully making attack.
Penetration Test Approach
What should a Penetration tester know about the system in order to perform a Pen-test? The approach that a Pen-tester should take in order to perform Penetration test should take three different stages, Black box, Gray box and white box tests.
Black Box Pen-test
Black box pen-test is that the Pen-tester has no previous knowledge about the target system and usually takes the approach of uninformed attacker. Black box pen-test simulate a realistic scenario, but some areas of infrastructure may not have tested and does not cover informed attacker penetration attempts.
White Box Pen-test
White box Penetration tests is a pen-testing approach that uses the knowledge of the internals of the target system to elaborate the test cases for example in application Penetration testing the source code of the application is usually provided along with design information or in an infrastructure Pen-testing networks diagrams, infrastructure details, etc. are provided.
The goal of a white box test is to provide as much information as possible to the Pen-tester so that he or she can gain inside understanding of the system and elaborate the test cases based on that. The advantages of a white box Pentest is that it allows to perform deep and through testing, maximizes testing time, extent the testing area and it is realistic enough.
Gray Box Pen-test
In Gray box Penetration test the Pen-tester will have a partial knowledge about the target system to check if this knowledge will allow him to penetrate and gain access to the system. Gray box testing also called gray box analysis which is strategy for software debugging in which the tester has limited knowledge of the internal details of the program.
Gray box testing is non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
Planning Penetration Testing
Once a penetration tester (Pen-tester) gain approval to perform a Penetration testing, a great deal of thought and consideration need to be done. Poor planning of penetration testing can have serious consequences for the network and systems, causing unwanted business disruption that might lead to permanent harm. The planning of Pentest is divided into four steps:
Identifying the Pentest purpose
The first step of planning a pen-test is identifying the need of the customer (the customer is the owner of the IT system), the customer basic needs is identifying the weaknesses in the information systems and take measures before real attack occurs, but her we should find the methods and targets according to the customer sensitive topics, for example:
Who is the most important threat for the customer, an insider employee of the company or an outsider?
What is the most important asset that the customer wants to protect?
What can an inner threat do to IT