Welcome back to Cyber Aires, cop Tia. Advanced Security Professionals Class. My name is Kelly Hander Han, and I am your subject matter expert, and we're gonna pick up with the new domain on security analysis and assessments. This is a relatively short domain. Um,
what we're going to do in this chapter is we're going to look for vulnerabilities on our network and try to determine whether or not our network is able to withstand an attack. So we'll talk about some of the methodologies, some of the general ways that we approach vulnerability assessments in pen testing.
All right, So when we talk about the methodology, when we talk about how we're gonna approach looking for weaknesses on our network, there a couple of ways that we do that one of the first and foremost ways that we do on a very regular basis is we audit, we conduct security audits.
Um, we have automated audit tools. We review those audit logs.
We have professionals within our organization that conduct security audits. That's usually the Security Administration team. Those audits air regularly reviewed. And most importantly, the results of that audit log are used
to shape the way the organization moves forward. So, for instance, if they were department that failed a security audit, we don't just say better luck next time we immediately implement some sort of corrective action plan and we bring those departments back on board and make sure that we move forward
in a state of compliance. So security audits are very, very important.
Next, we move to vulnerability assessments. All right, well, with vulnerability assessments, what we're looking for, we're looking for weaknesses on the network. OK, they can come from individual hosts. They can come from network infrastructure itself from configurations of network devices.
You know, vulnerabilities come from a wide range of ideas, but what we're looking for, we're looking for weaknesses
and vulnerability assessments. Ca NBI physical, administrative or technical. So many times, we immediately in our mind think about Oh, we're pen testing a system. Uh, sure, and that's fine. But vulnerability assessments, pen tests, all those mean by nature is,
can I find a weakness? And can I exploit it? So vulnerability assessments from a physical perspective, checking for door seeing the doors are unlocked, checking to see if I can get in through a, uh, loading dock when the front doors require additional security,
are sensitive areas isolated?
Did anybody leave classified materials out on their desk? You know, those are the types of things that we look for. Now there is a difference between a vulnerability assessment and a pennant test. Often they go hand in hand. The vulnerability assessment piece would be first. I'm looking for known weaknesses,
so I want to find out if we're conducting this on on, uh, from a technical perspective.
First thing I want to do is I want to find out what operating systems your computers air running, because every operating system has its own unique set of vulnerabilities. So some operating systems come with a Web service installed automatically listening Import 80 for instance. Other operating systems have different security vulnerabilities,
so an important piece of vulnerability assessment
is learning what I can find out and then seeing if there's known security flaws. Air there have users change default passwords. Have they renamed administrative accounts All those things that we're looking for
now? Penetration testing takes that goes a step farther, and it says, Can I exploit those weaknesses just because I have Port 80 listening on my device doesn't necessarily mean that Port 80 traffic that you can exploit and gain access to my system through port 80. So we look for vulnerabilities first,
and then we look to see if they could be exploited
when we talk about conducting a vulnerability assessment or penntraffic test there, a couple of things that we want to do before we even get started with the test itself. First of all, we want to meet with management and determine ago our goal.
So we're gonna meet with management and figure out why we're conducting the pin test in the first place. Are we doing it for certification and accreditation process?
Are we doing it? Uh, just for due diligence sake. And by the way, pen testing is due diligence. I am researching. I'm looking for weaknesses on my network. Do care would be closing up those weaknesses.
So at any rate, how I approach this process is gonna be driven by what we're trying to accomplish. So I'm gonna meet with management
and determined my goals.
Second piece. I want a document called Rules of Engagement
and Rules of Engagement is gonna be a document that's going to clearly specify What I can do is part of my pin test and what I cannot do. What systems are to be tested? What hours can I conduct this PIN test? Are there certain tools that I'm forbidden to use? Is it a free for all
who is to know about the pen tester vulnerability assessment?
Are there certain methods that I'm barred from using? All that should go into a document called Rules of Engagement Now for many of you that have done pin tests out in the world and and myself as well, I've generally work off documents called Statement of Work Sells.
The statement of work, though, really should be much
broader, and it really should be commissioning. My service is to perform a penetration test and should be a high level overview. Really. A statement of work should not be getting into the very details of naming tools and naming individual I p address ranges. So for this test, as well as a consideration to take back to the real world,
we really wanna build a document specifically to detail what the rules are off this pen test
or vulnerability assessment. Don't forget what I'm really doing when I do a vulnerability assessment
or PIN test. I'm hacking the network. I'm looking for vulnerabilities and then I'm gonna try to exploit them.
Chances are very good. Senior management frowns upon people hacking their network, so I want to make sure that this is something that's authorized from them. And then it's well defined the process that dates the tools and so on and so forth. And because
I know that pin testing can be risky,
it can cause resource is on the network to fail. It can
call security violations. It can trigger alarms. Some companies, when there's ah scan, automatically call law enforcement. There could be repercussions to doing a vulnerability assessment pen test. The last thing that I want is my get out of jail free
and that comes in the form of Sign off
from senior management.
is what I want to accomplish before I ever start the pin test. I want to make sure I know why we're conducting the pen testing. What are broad goals are I want a document called Rules of Engagement. That's very, very specific and very particular as to what tools and activities I can perform. What dates would I P addresses and so on?
And then I won't sign off from senior management ranting me permission.
And so all of these elements are very important. But before I would even move forward, what's here on the screen?
I would certainly make sure that I have the three documents over here on the left.