Assessing Security

---

Goals

• Define vulnerability assessment
• Describe the steps of vulnerability assessment
• Define penetration testing
• Describe the penetration testing process
• Classify penetration tests
• Identify penetration test targets
• Identify steps for realistic testing
• Describe tools for catching attacks

2 Ways to Assess Security

• Vulnerability Assessment
  • Types of Vulnerability Scans
• Penetration Testing

Difference between vulnerability assessment and penetration testing

• While vulnerability assessment may produce a potential list of vulnerabilities in the environment, the tools can’t guarantee that an attacker will actually be able to exploit them
• In penetration testing, the tester will report only the issues that resulted in an actionable attack against the system or have a high chance of being exploited.

Does This Really Mean You’re Secure?

After you’ve assessed your vulnerabilities, conducted your penetration tests, and fixed all of your resulting issues and findings, are you really secure?

• probably not

Realistic Testing

To get accurate results about your security, you need to perform realistic testing

• conduct vulnerability assessments and penetration tests without impeding them or skewing the results

Rules of Engagement

• rules of engagement need to closely adhere to the conditions under which an outside attack would take place
• whole point of this exercise is to emulate what attackers do so you can do it first and fix what you find

Scope

• organizations often set an artificially narrow scope by:
  • avoiding production environments
  • avoid degrading levels of service for customers
• better off setting up a specific environment mirroring your production environment

Testing Environment

• make sure test environment matches the production environment as close as possible
• too common for organizations to set up idealized, thoroughly patched, and well-secured environments for a penetration test
• often helpful to operate in a cloud environment
  • can exactly replicate an entire environment consisting of cloud-based hosts and infrastructure in its own segmented area
  • identical to the production environment
  • tear it down once you no longer need it

Can You Detect Your Own Attacks

Another way you can evaluate your level of security is to carefully watch your everyday security tools and alerting systems while running vulnerability tools and penetration tests.

• vuln assessments and pentests should be almost indistinguishable from actual attacks
• If you don’t notice your testing taking place, you probably won’t see the actual attacks coming in either

The Blue Team and the Purple Team

Blue team is tasked with defending the organization and catching the red team.

• blue team should participate in the other side of the penetration test just as much as the red team is attacking
• don’t want to actively block attacks coming from the red team
  • but you should definitely record and document the evidence of their activities
• results of a penetration test make an excellent basis for requesting an additional budget

Purple teams form the bridge between red teams and blue teams and help to ensure that both operate as efficiently as possible.

• purple teams may also play the part of both the red team and the blue team at the same time
• common in small security teams

Instrumentation

To catch penetration testers in the act, you must have appropriate instrumentation in place.

• intrusion detection systems and firewalls you can use to watch for unusual traffic
• anti-malware
• file integrity monitoring (FIM) tools

Alerting

You need to have good alerting so that you know when you’ve caught the testers.

Secure Today Doesn’t Mean Secure Tomorrow

• Attack surfaces changes
• Attackers change
• Technology updates