Vulnerability Assessment and Penetration Testing MindMap
To Download the FREE PDF of MindMaps
Your information will remain 100% private. Unsubscribe with 1 click.
Hey, I’m Rob Witcher, and I’m here to help YOU pass the CISSP exam. We are going to go through a review of the major topics in Domain 6, specifically focusing on vulnerability assessments and penetration testing.
This is the second of three mind map videos for domain 6. I have included links
to the other MindMap videos in the description below.
Every system has vulnerabilities. Vulnerability assessment and penetration
testing are an important part of testing a system to look for these vulnerabilities: to identify, classify and prioritize remediation.
Vulnerability assessments and penetration tests are very similar and start out the same way – identifying potential vulnerabilities and reporting on them to understanding the potential impact to the organization and prioritize remediation.
In a penetration test we identify potential vulnerabilities, and then we attempt to exploit them. To verify if the vulnerability truly exists and can be exploited, and thus eliminating false positives. Vulnerability assessments tend to be faster and more automated but generate far more false positives. Penetration tests are slower and more manual, and have a much higher likelihood of negatively impacting a system, but they provide a much clearer picture of the security of a system.
Here is the process we go through to conduct vulnerability assessments and pen tests
We start with reconnaissance, which is a passive activity, the organization cannot detect anything at this step because we are gathering publicly available information from sources like job postings, linkedIn profiles, and DNS records.
Enumeration is ACTIVE, this step can potentially be detected by the organization. We are enumerating, systematically walking through, IP address ranges and ports to look for live systems that are offering services.
Vulnerability analysis is where we determine the exact version of a system and identify potential vulnerabilities that could be exploited. We will talk about how banner grabbing, and fingerprinting can be used to identify the version of a system in a few minutes.
If we are performing a vulnerability assessment, then we skip execution and go straight to reporting. In a pen test however, the execution step is where we attempt to exploit any vulnerabilities we have identified. Actually break-in to a system.
And documenting findings is all about reporting on vulnerabilities identified, the potential impact to the organization and prioritization, and tailoring reports to various audiences.
Now let’s go through some testing techniques we can use. We can mix and match these different techniques to achieve different types of tests. We can simulate an outside hacker, or a malicious insider as examples.
Perspective is about where the ethical hacker is performing the test from
Internal means the testing is performed from within the organization’s network. Simulating the attacker being inside the network
External means the testing is performed from outside the organizations network. Simulating the attacker being outside the firewall, typically out on the internet.
There are a couple of major approaches we can use in conducting tests
In a blind test, we give the ethical hacker very limited information on the system to be tested. Perhaps just an IP address. The ethical hacker is blind.
Double blinds means, not only do we not give the ethical hacker any information, we also don’t tell the organization’s security operations team that the hack is occurring. Double blind tests not only what the hacker can get into, but also how effectively the organization can detect and respond to the attack
Knowledge is all about how much information is given to the ethical hacker
In Zero knowledge or black-box testing, the tester is given zero knowledge on the system and must rely on publicly available information and whatever they can deduce. This simulates an outsider trying to break in. Zero knowledge and blind tests are the same thing.
In partial knowledge or gray-box testing, the tester is given the knowledge of a user, potentially even elevated privileges on the system, and some basic info on system and network architecture. This makes testing more efficient.
Full knowledge, White-box, open-box, clear-box testing is where the testers are given full access to source code, full credentials, and detailed architectural documentation. White box testing is much more focused on going through the source code in detail.
Types of Scans
There are a couple of different types of scans we can perform with vulnerability assessment tools like Nessus or Rapid7
Credentialed / Authenticated
A credentialed or authenticated scan is where we give the scanning tool the credentials necessary to log into the system or systems being scanned. A credentialed scan can take a deeper look into the exact configuration of a system and thus help eliminate false positives and also help with baseline compliance
Uncredentialed / Unauthenticated
An uncredentialed scan, as you can probably guess, means we don’t give the scanning tool the credentials necessary to login. This is more a simulation of an external attacker and what vulnerabilities can be identified from the outside.
Banner grabbing & Fingerprinting
A critical requirement in identifying vulnerabilities is knowing the exact version of an operating system and application. Different versions of software are vulnerable to different things. Banner grabbing is where we intentionally get the system to generate something like an error message, like say an error 404 file not found on a web server, and looking at the error message to see if the version number of the system is listed. Systems should be configured not to show this information.
Fingerprinting is far more subtle. By either passively monitoring network traffic going to a system, or actively sending a few specially crafted packets, we can carefully evaluate the exact structure and the contents of packets. Different versions of systems will craft packets in subtly different ways allowing us to fingerprint the exact version.
Interpreting & understanding results
When reporting on vulnerabilities there are a couple of different important numbers that should be included
The CVE or Common Vulnerabilities and Exposures number is a unique identifier for each vulnerability and a public database of all these vulnerabilities is maintained. Each vulnerability that has been discovered has a unique CVE number assigned to it
The CVSS or Common Vulnerability Scoring System is a standard for assessing the severity of a vulnerability from a zero which means meh all the way up to 10 which means everyone should be running around screaming
False positive vs. False negative
Finally, false positives and false negatives are important challenges we need to deal with. A false positive is where we identify a potential vulnerability and upon further investigation, we realize there is no vulnerability – so we have spent some time chasing something that wasn’t there. False negatives are far worse. This is where a vulnerability exists, and we don’t identify it. We are blind to the vulnerability.
And there we have an overview of vulnerability assessments and penetration testing within Domain 6, covering the most critical concepts to know for the exam.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MinMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!