Vulnerability is a weakness or flaw in the organization which a malicious hacker can exploit to compromise the integrity, confidentiality and availability of the product or information.
Examples of common vulnerabilities are:
- System IDs of terminated employees not removed from system
- New patches not applied to system
- Use of week and default passwords
Threat is anything that has the potential to cause a serious harm to a computer system or to an organization. It can also be described as anything that would contribute to the tampering, destruction or interruption of any service or item of value. According to NIST, threat is the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat sources can be natural, human, or environmental.
Examples of threats are:
- Non technical staff
According to NIST, Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk is a combination of threat and vulnerability.
In order to determine the likelihood of a future adverse event, threats to an IT system along with the potential vulnerabilities and the controls in place for the IT system must be analyzed. Impact refers to the magnitude of harm that could be caused by a threat's exercise of vulnerability.
VAPT helps organization take preventive measures against malicious attacks by attacking the system itself while staying within legal limits. It ensures the security proofing of an organization.
The reasons to do VAPT include:
- To ensure security of the system and to prevent unauthorized access
- Protect privacy
- Gain confidence of customers and stake holders
- To verify the system is fool proof
- To ensure Authenticity, Accountability and Availability
- To do risk assessment
- For network auditing - to ensure the security of network
- For compliance checking
- For a continuous monitoring to ensure security and prevent hacking
Vulnerability scan or vulnerability assessment is done to find out known vulnerabilities in a system. Vulnerability assessment tools such as Nessus, OpenVas are used for assessment. They help identify the vulnerability but do not distinguish between flaws that can be exploited to cause damage and those that cannot. Scanning is done continuously, especially after new equipment is loaded. Vulnerability assessment focuses on:
- Identifying potential vulnerabilities
- Classifying vulnerabilities into High, Moderate, and Low risk vulnerabilities
- Identifying assets connected to the network
Penetration tests also called pen test is an attempt to exploit the vulnerabilities in a system. This is done in the way that hackers use in order to exploit the system vulnerabilities. This is done at least once in a year. This helps us to determine whether unauthorized access or other malicious activity is possible into the system and also identify which flaws pose a threat to the application. The goal of a penetration test is to identifying actual risk. Pen test focuses on:
- Identifying unknown vulnerabilities "zero day"
- Validating vulnerabilities by exploitation
- Identifying additional vulnerabilities not identifiable or accessible by a vulnerability assessment
VAPT can be performed in the following phases:
- Test preparation Phase
- Test Phase - Vulnerability Assessment and Penetration testing
- Report Generation
- Test preparation Phase
In this phase, testers and organization need to decide on scope, objective, time and duration of the test. All the necessary documents and agreements must be made ready and agreed by both the parties.
While performing assessments and tests, the scope of the assignment needs to be clearly defined. The scope is based on the assets to be tested. The following are the three possible scopes that exist
- Black Box Testing: Testing from an external network with no prior knowledge of the internal networks and systems
- Gray Box Testing: Testing from an external or internal network, with knowledge of the internal networks and systems. This is usually a combination of black box testing and white box testing
- White Box Testing: Performing the test from within the network with the knowledge of the network architecture and the systems. This is also referred to as internal testing
- Test Phase
Actual testing is done in this step.
- Information Gathering
The process of information gathering is to obtain as much information as possible about the IT environment such as networks, IP addresses, operating system version, etc. This is applicable to all the three types of scope as discussed earlier.
In this process, tools such as vulnerability scanners are used, and vulnerabilities are identified in the IT environment by way of scanning. The information gathering in the previous step is used for scanning and assessing the target network space.
- Vulnerability Analysis and Planning
This process is used to analyze the identified vulnerabilities, combined with the information gathered about the IT environment, to devise a plan for penetrating into the network and system. Vulnerabilities are priorities based on their severity and impact.
- Penetration Testing
In this process, the target systems are attacked and penetrated using the plan devised in the earlier process.
- Privilege Escalation
After successful penetration into the system, this process is used to identify and escalate access to gain higher privileges, such as root access or administrative access to the system.
- Result Analysis
This process is useful for performing a root cause analysis as a result of a successful compromise to the system leading to penetration, and devise suitable recommendations in order to make the system secure by plugging the holes in the system.
- Reporting phase
All the findings that are observed during the vulnerability assessment and penetration testing process need to be documented, along with the recommendations, in order to produce the testing report to the management for suitable actions.
Vulnerability assessment and penetration testing involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning up (restoring) the data and files used in the target machines.
Website VAPT or Website vulnerability assessment and penetration testing is a step by step procedure to determine the security of the website by finding the vulnerabilities if any and taking appropriate actions against them. The security can be assessed from the point of view of an end user, an admin and from anonymous user. Some of the vulnerabilities that can be found out using website VAPT are:
- SQL Injection
SQL injection is a web attack technique where the attacker makes an application runs the code which is not intended to. It is considered as a user input vulnerability. Hackers use this method to steal information from organizations.
SQL Map is a tool which can be used to detect this attack.
- Cross site scripting
Cross-site Scripting also called XSS or CSS are attacks that occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. It leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
Accunetix is a tool which can be used to find this vulnerability
- Xpath Injection
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
Accunetix cen be used to detect the same
- Cookie poisoning
Cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. The attacker may use the information to open new accounts or to gain access to the user's existing accounts.
- Buffer overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
- Directory traversal/Unicode
Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Accunetix can be used to find this out
- Improper error handling
Error messages can reveal implementation details that should never be revealed giving a hacker clues on potential flaws
Cookies are small text files or messages that a web server passes to the web browser when an internet site is accessed. It can be considered as an identity card. Cookies are created when you first visit a website. Upon each visit to the website again the browser passes the cookie back to the web server. This helps to track web site activity of individuals. A cookie consists of the following 7 components:
- Name of the cookie
- Value of the cookie
- Expiry of the cookie
- Need for a secure connection to use the cookie
A honeypot is an information system designed to attract potential hackers who attempt to penetrate an organization's network. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network. Most honeypots are installed inside a firewall. A honeypot logs in access attempts and keystrokes of the hacker. Thus honeypot fools attackers by making them believe it is a legitimate system. They attack the system without knowing that they are being observed.