Security Assessment Guide

"It sounds like you need a vulnerability assessment."

"A security review would address your security concerns."

"We recommend you get a penetration test ."

You may need one of the above, you may not need any of them at all. A vendor may sell you one but due to their interpretation of a service offering, deliver another. The thought and analysis should lie in whether you actually need one of these to address your concerns and challenges, not trying to understand what each one is and what you should be receiving if you opt for it.

The following sections outline 4ARMED's security assessment taxonomy so that after identifying and managing your risk appetite, you can associate it with an applicable solution, if required.

Security Assessment Taxonomy

Vulnerability Assessment (VA)

 4ARMED VA's are a process that automate network discovery, enumeration and identification of potential known vulnerabilities. This is achieved by use of an automated tool that associates a level of risk with each vulnerability from a built in database. An optional authenticated scan can also be carried out using credentials which allows the automated tool to potentially remove some common false positives and potentially identify further issues. 4ARMED would review the resulting report, identify and remove any superfluous accompanying information, and deliver the report to the client. VA's do not include manual checking/verification of identified vulnerabilities and are non-exploitative.

Security Review

A security review goes slightly deeper. The VA stage is still carried out however after the scan(s) 4ARMED will manually identify and remove any false positives, as well as verify the reported vulnerabilities where possible. Although the authenticated scan component noted in the VA section is still optional, it is strongly advised in a security review as a broader insight into the overall security posture of the environment is gained from both internal and external perspectives.

Security reviews are still non-exploitative so gaining access to the network to identify any secondary/tertiary issues would not be in scope. Vulnerability verification in some cases may require authenticated access to specific areas of the system/network in order to corroborate VA results from an internal perspective.

Build Review

A 4ARMED build review is similar to a VA in the sense that it identifies vulnerabilities and weaknesses in a system, however the focus is on the system's base configuration. A build review looks at the settings and configuration of the server, workstation, laptop, mobile device etc, to identify weaknesses in the image used when replicating them. Stringent checks are carried out to diagnose any configuration changes that may have created potential attack vectors.

Put simply, if there's a vulnerability in the original image, one vulnerability could very quickly result in thousands of vulnerabilities when rolled out to users. The resulting build review report would then reflect these root cause issues so that they could be effectively remediated at source.

Penetration Test

The complete package. 4ARMED define a penetration test as a legally authorised, exploitative attack against a computer system designed to simulate as closely as possible the techniques used by a threat to that system. A penetration test will attempt to exploit vulnerabilities identified, and furthermore explore the extent to which that vulnerability poses a risk and the resulting impact.

Penetration testing is a manual process supported by automated tools and provides our clients with a greater insight into the potential business risk and impact should an attack occur against the systems or applications under test. It's a simulation of a real attack against your systems that the solutions detailed above won't provide.

The best analogy I've heard is taken from Wikipedia. Consider the following rabbit proof fence.

What's the difference between a vulnerability assessment and a penetration test?

It's designed to keep rabbits out of one side. If we performed a vulnerability assessment of this fence we'd look for all the holes that might fit a rabbit through. In a penetration test however, we'd take a rabbit and try and push it through each hole we can find aiming to prove whether the fence has exploitable holes or not.

Perhaps one of the biggest advantages to a proper penetration test over automated or semi-automated reviews is the ability for the human brain to chain together multiple issues, often low risk in their own right, to create a larger compromise. A scanner could give you three low risk issues but miss the connection between them.

A contrived but surprisingly common example on internal infrastructure penetration tests would be a file share accessible to unauthenticated users on a network. Not necessarily a big deal in its own right until you find the salaries spreadsheet in there, or the IT passwords spreadsheet.

At the end of the penetration test, the resulting report arms our clients with the necessary information for them to assess and manage their risk, then plan short, medium, and long term remedial action in order to strengthen their overall security posture.

Conclusion

All of these services have one thing in common. Assurance. The level of assurance you opt for will depend on your understanding of the evolving threat landscape, your own business threats, and how you justify the protection of your IT assets.

If you want to find out more about any of the services 4ARMED offer, please get in touch.

Author image

Will Hunt

Will is a Security Consultant and CREST Registered Tester with a wealth of experience in both penetration testing and digital forensics. He has delivered strategic and technical training in both areas and has an insatiable thirst for knowledge. You can tweet him @stealthsploit.

Related Blog Articles