Penetration Testing and Vulnerability Analysis

00:00

having a good vulnerability assessment program leads into pen testing. Usually vulnerability assessments come early in a pen test, but we offer consider them to be two separate activities.

00:11

The idea with the vulnerability assessment is re collecting information and looking for known weaknesses. Do you have ports open to have weak passwords? Do you have a system that is in patched? That's the type of stuff that a vulnerability scan would do for you

00:25

Now Microsoft is a tool called Microsoft Baseline Security Analyzer that will scan a system or a range of systems. Looking for those types of weaknesses is not active.

00:35

It's going to document weaknesses for us. But there's no attempt to exploit the weaknesses or compromise a system.

00:41

That's where vulnerability, analysis or assessment ends gathering information.

00:47

The next step is often to try to take those vulnerabilities and exploit them. Can I compromise the system through those weaknesses? A vulnerability assessment might say you have Port 80 Open doesn't mean I can exploit. That doesn't mean I can inject malicious code throughout Port 80. That's the next step in a pen test

01:04

with penetration testing. We're never trying to break something. Sometimes we break things really important before you start a vulnerability analysis or a penetration test that we get approval and sign off from our senior management.

01:17

That's something known as a get out of jail free card, because what we're doing with vulnerability, assessments and exploitation is a hacking our network.

01:25

It is only ethical hacking if we have permission, so we want to make sure that we do.

01:30

That exploit takes things in the next step.

01:33

The way I want you to think about it is if you know if you're in compliance with policy, you audit.

01:37

If you want to know if there are any weaknesses, a vulnerability assessment.

01:41

If you want to know if you're capable of withstanding an attack, that's your pen test. That's the information a pen test will give you.

01:49

We've got steps for penetration testing.

01:51

This assumes that the Attackers coming from the outside, that they have no internal knowledge of the environment. But they're just trying to mimic an external attacker.

01:59

We started with gathering information. Usually that's from the Internet.

02:05

For most organizations, there's quite a bit of information out on the Internet.

02:07

Can I figure out what your locations are? Your principal officers. Can I find enough information that maybe I could use a social engineering attack to get on the network?

02:16

The next thing is the threat model.

02:20

With penetration testing, we investigate, get our information about a system, then try to figure out from an attacker's perspective what the most appealing things are.

02:29

You sat there at the class. Certain servers are very appealing to us, like a DNS server or domain controller, because those are so powerful in the network.

02:38

When we're doing the pen test, we try to think like an attacker.

02:42

What are the threats that are most likely to materialize?

02:45

Then we're going to scan for those threats with their vulnerability analysis and try to exploit them

02:51

after the exploit. Whether it's successful or not, document lessons learned. What did we find? What worked, What didn't work. We take that information and formalize it, then reported to our senior management

03:02

penetration. Testing really does start off with a vulnerability analysis, then moving up to an exploit phrase.

03:09

The ultimate goal here is to determine if we can withstand an attack.

03:14

We have to conduct pen testing on a regular basis. Because of that landscape is always changing.

03:20

Wrapping up this section on access control

03:23

the first and what I think is the most important step to security segmentation

03:28

isolating your most trusted resources from less trusted entities. Make sure that untrusted going back

03:35

make sure that untrusted entities can't access what you want to protect.

03:39

If untrusted entities need access to what you're trying to protect, then force them through a firewall or some other interphase that inspects their activities.

03:49

We can segment, and we can have a subset of our network, a DMZ.

03:53

We can use different subnets using a router. Subnets can be created with the villain a virtual Elian on a switch as well.

04:00

We isolate our traffic

04:01

now user accounts we control who has privileged accounts. We review those user accounts for too much permission and privilege and make sure we're following those ideas of the principle of least privilege and need to know

04:15

we use access control lists of our resources, but also on our firewalls on our filtering devices, so that if we set, if that and logic,

04:23

if traffic appears this way, then block it. If traffic appears that way, then allow it.

04:29

You specify our rule sets when we're looking to block or allow

04:31

honey pots. Are detective there for use after an attack has come into the DMZ, perhaps, and they're looking for a system to attack, and the honeypot looks very desirable.

04:42

Then afterwards, I go back and review the logs, and I get that additional information about the attacker

04:46

then. Last but not least, penetration testing usually begins with that vulnerability. Assessment collects information that's then used to try to explain the weaknesses.

04:56

Then, of course, after the pen test, after the exploit, we document what we found and we present that information to senior management.

05:03

I will mention at no point in time does a pen tester correct problems that they found the simply document

05:11

that wraps up our Chapter six. We talked about physical security and to never underestimate the importance of physical security in your environment.

05:17

Security guards, door locks, controlling access to and from the building with swipe cards or other devices, Physical security is always going to be important.

05:28

Then we looked at using single sign on and authentication something. You know something? You have something you are.

05:34

We also said you can use somewhere you are something you do But what's most important about authentication is that we require multifactor authentication

05:43

you authenticate with more than one type

05:46

We talked about. How desirable single sign on is simply because it alleviates some of the effort users have to keep up with. To keep up with numerous passwords

05:55

makes it easier for the administrator because there's a single password database that they control.

06:00

They have a single point of authentication policy

06:03

and winds up working well for both users and administrators. But don't forget those ideas of keys to the kingdom in case those credentials are compromised

06:13

for authentication. We looked at network authentication with Kerberos, then authentication with Federated Trust with S A. M. L or open ID connect.

06:21

We reference some ideas with wireless security, like rogue wireless devices, rogue access points and evil twins.

06:30

We then looked at common attacks like denial of service, logic, bombs and man in the middle attacks.

06:35

Finally, we wrapped things up with access, control and hardening our devices services. To make sure that we have access to these resources is very difficult to obtain.

06:45

That wraps up Chapter six for us. We're almost to the end. We come in with chapter seven right after these messages.