Embed Size (px)
DESCRIPTION
Simple deck about Vulnerability Assessment and Penetration Test. Please download it if you want to see the presentation notes as well. :-)
Citation preview
Vulnerability Assessment
Marcelo B. SilvaSystems Engineer
Agenda• What is a Penetration Test?• What is a Vulnerability Assessment (VA)• The difference between a Pentest & a VA• Vulnerability Assessment Steps• Risks on an internal VA• Vulnerability Assessment steps with a 3rd Party• Legal considerations and justification• References
What is a Penetration Test?
• There are two types of penetration (pen) tests– Black Box & White Box
• Analyzing assets for any weaknesses, weak configuration, or vulnerabilities
• Perspective of a potential attacker and leverages exploitation of known and unknown security vulnerabilities
• Validate information security programs • Ensure security controls
What is a Penetration Test?
Which components are the targets?•Operating Systems •Directory Services•Backend Applications•Server firmware and Remote Control software•Network devices (Routers, Switches, Firewalls)
What is Penetration Test?
The intruder could seek unauthorized access for:•Staging•Information Disclosure (Confidentiality)•Bots/Zombies (Availability)
What is a Vulnerability Assessment (VA)?
“Security exercises that aid business leaders, security professionals, and hackers in identifying security liabilities within networks, applications,
and systems.” (Snedaker, 2007)
What is a Vulnerability Assessment (VA)?
The Vulnerability Assessment detects vulnerabilities via:•Security Technologies– VA Scanners Appliances and Software
•Remediation Technologies– Patch management systems (WSUS, SCCM,
LanDesk, VMware Update Manager)
Penetration Test vs. VA
Penetration Test:
• Confirm the vulnerabilities• Scan the network• Identify OS, Services and
TCP/UDP Ports on the hosts• Performs attacks and
penetration• Works to gain non-
authorized access
Vulnerability Assessment:
• Identify weaknesses• Identify and enumerates
Vulnerabilities• Report on discoveries
Penetration Test vs. VA
Penetration Test:
To be used when:•We have a limited number of assets •Confirmation is needed•We are fiscally flexible •Time is not of the essence
Vulnerability Assessment:
To be used when:•Time is a constraint •Cost is an issue•Validating•Trending
Vulnerability AssessmentThe 3 steps
1. Information Gathering and Discovery Example of tools: NMAP
2. Enumeration Example of tools: NMAP
3. Detection Example of tools: Retina
Vulnerability AssessmentThe 3 steps
1. Information Gathering and Discovery– Network Scanning– Ports Scanning– Directory Service– DNS Zones and Registers
Vulnerability AssessmentThe 3 steps
2. Enumeration– Hosts and OSs– Ports (including the well-known: 0-1023)– Services and their versions info– SNMP Communities
Vulnerability AssessmentThe 3 steps
3. Detection– Weakness– Vulnerabilities– Reports are generated– Remediation Tools
Risks on an internal VA
• Unavailability of the systems and applications• Impact on the network and systems
performance• Reaction from the IT staff as if some real
attack was taking place
Vulnerability Assessment Steps with a 3rd Party
• The outsourcing company must follow the FISMA requirements, by applying the NIST standards and guidelines
• Establish an Information Security Assessment Policy to be followed• Determine the objectives of each security assessment• The consulting firm should be accountable for any damage caused
by errors on during the exercise• Sign a formal agreement for the Vulnerability Assessment• Non-disclosure information externally • The 3rd party should provide an Analyze findings, and develop risk
mitigation techniques accordingly and report security Incidents (FISMA 3544(b)(7))
• The 3rd party should periodically testing and evaluating the security controls and techniques (FISMA section 3544(a)(2)(D))
VA Steps with a 3rd PartyLegal considerations and justification
• The 3rd parties are required to meet the same security requirements as federal agencies (FISMA and OMB policy)
• As part of the contract and the service-level agreements, the consulting firm requires the use of the security controls in NIST Special Publication 800-53 and 800-53A
• Evaluate potential legal concerns before starting an assessment (The assessments that involve intrusive tests - Pentest)
• Legal Department may review the assessment plan developed by the 3rd party
• The Legal Department should address privacy concerns, and perform other functions in support of assessment planning. (FISMA, section 3542(a)(1)(B))
References:Snedaker, S. (2007). The Best Damn IT Security management Book Period, Syngress publishing.National Institute of Standards and Technology. (2009). Recommended Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, 2009 Edition). Gaithersburg, MD. National Institute of Standards and Technology. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems (NIST Special Publication 800-37, revision 1). Gaithersburg, MD. National Institute of Standards and Technology. (2010a). Guide for Assessing the Security Controls in Federal Information Systems and Organizations (NIST Special Publication 800-53A). Gaithersburg, MD. Federal Information Security Management Act (FISMA). (2002). P.L. 107-347. Retrieved August 07, 2012, from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
