Basics of Vulnerability Assessment and Penetration testing
As the number of web and mobile applications is increasing the cyber attacks are increasing everyday too. World statistics shows that more than 70% of the applications either have vulnerabilities which could be exploited by a hacker, or worse, those are already exploited. The data loses due to this, are typically of two types. Either the data is confidential to the organization or it it is private to an individual, which regardless results into reputational or monetary losses. This article explains a technical process that can be adopted by industries and organizations to protect their intellectual property. The purpose of this article is to provide a comprehensive guidance on this topic, so that it is incorporated in the organizations in a correct way, yielding better risk management.
For those who are new to VAPT, it is a technical assessment process to find security bugs in a software program or a computer network. The network can be a LAN or WAN, while the software program can be an .exe running on a server or desktop, a web/cloud application or a mobile application. Before we get into the technical aspects of VAPT, lets look at few benefits of it.
- Helps identify programming errors that can lead to cyber attacks
- Provides a methodical approach to risk management
- Secures IT networks from internal and external attacks
- Secures applications from business logic flaws
- Increased ROI on IT security
- Protects organization from reputational and monetary losses
Why systems are vulnerable?
The reasons why systems are vulnerable, mainly boil down to two causes – the mis-configurations and incorrect programming practices. In case of networks the devices such as firewalls, routers, switches, servers and IPS systems are either mis-configured or in some cases not configured at all, thus running default settings. As an example, almost all firewalls have a default built-in user account with the name “admin”. Typically the password for the same is also set to “admin” by default, or something even easier to guess. Taking an example of servers, installing database server leaves us with an “sa” account which has a blank password. As for programming errors, a user input taken from a web application form may be directly sent to a backend database server without parsing it, this can lead to parameter manipulation attack or SQL injection attack. As another example of programming errors, a web service could be accepting requests without performing adequate authentication, thus leaking data inadvertently. This shows us that human errors result into vulnerable systems, which could be exploited easily by attackers, to compromise data confidentiality, integrity and availability.
What is Vulnerability Assessment?
A vulnerability assessment (VA) is a systematic technical approach to find the security loop holes in a network or software system. VA is entirely a process of searching and finding, with an objective that none of the loop holes are missed. It primarily adopts a scanning approach which is performed by using tools as well as manually. The outcome of a VA process is report showing all vulnerabilities, which are categorized based on their severity. This report is further used for the next step which is penetration testing. VA is usually a non-intrusive process and can be carried out without jeopardizing the IT infrastructure or application’s operations.
What is Penetration Testing?
A penetration test (PT) is a proof-of-concept approach to actually explore and exploit a vulnerability. This process ensures that the vulnerability really exists and further proves that such exploitation can result into an impactful damage to the application or network. The PT process is mostly intrusive and can actually cause damage to the systems, hence a lot of precaution needs to be taken before planning such a test. The outcome of a PT is typically an evidence in the form of a screen-shot or log which substantiates the finding and can be a useful aid towards the fixation. As a summary, below are the steps entailed in the VAPT process.
- Scan the network or application
- Search for security flaws
- Exploit the security flaws
- Prepare report
Difference between VA and PT
The VA and PT differ from each other in two aspects. The VA process gives a horizontal map into the security posture of network and application, while the PT process does a vertical deep dive into the findings. In other words, the VA process shows how big it is, while the PT shows how bad it is. There is one more subtle difference. Due to the nature of work involved in each process a VA can be carried out using automated tools, while a PT in almost all cases is a manual process. This is because PT essentially simulates what real hackers would do to your network or application. Refer to the diagrams showing VAPT process for network and web applications.
While there are multiple tools available in the market, below tools are famous for their presence and usability. Although these tools are mentioned as VAPT tools, most of those essentially provide VA only and leave the PT part to the ethical hackers to be done manually. There are couple of tools which are surely powerful PT tools, those are mentioned so in the list below
- BurpSuite (PT)
- Metasploit (PT)
There are 2 important terms that an ethical hacker must know, especially while using tools. Those are false-positive and false-negative.
A false positive is when a vulnerability actually does not exist but it is reported. A false negative is when a vulnerability actually exists but it is not reported. A false positive can be a nuisance resulting into wasting time of an ethical hacker, whereas a false negative can be really dangerous, leaving a network or application susceptible giving an illusion that everything is alright. It is observed that automated tools tend to exhibit false positive as well as false negatives. This brings us to the next important part, which method is better – the automated VAPT or manual VAPT?
Automated v/s Manual VAPT
The shortest answer is Manual VAPT is always better and a widely chosen approach. This is because the automated tools are based on simple logics which check either for signatures or behavior. To understand this, lets go to the basic difference between a software program and a human mind. Below are the steps a typical ethical hacker performs for a VAPT.
- Enumerates a vulnerability
- Performs an attack manually
- Analyzes the results of attack
- Performs similar or different attacks based on previous findings
- Assimilates the results to create a customized attack
- Exploits further to see if there are more attacks possible
- Repeats above process for all vulnerabilities
Each network or application is different, resulting into a very wide range of vulnerability scenarios. From above steps, it becomes clear that a lot of complexity involved in VAPT wherein, the results of one test decide the actions of next test. This makes VAPT a process of cascaded intelligence, where you cannot predict the next step and also need to apply years of experience to reach to the conclusion. No tool can do this, at least as of today, and hence it must be performed manually. Ethical hackers job can be made less stressful by automating certain tasks of vulnerability assessment, however the proof-of-concept part in penetration test mostly relies on manual ways of exploiting the loop hole and gathering the required evidence. Below are the benefits of manual penetration testing which can just prove the point.
- Mimics real life hackers
- Bring great deal of accuracy in results
- No false positives
- Provides evidence to replicate problems
- Helps in fixing product’s security design issues
VAPT is a methodical approach towards risk management. CISO’s or IT heads should be strategic in incorporating VAPT in their budgets and risk governance processes. It should be a periodically executed process and the frequency should depend upon the data confidentiality and risk impact. While there are multiple tools to perform vulnerability assessment, the penetration testing is a manual process and should be handled by professional and highly experienced ethical hackers. This shall ensure a real cyber security as opposed to an illusion of being secure.