What to look for in a vapt report

Vulnerability Assessment and Penetration Testing (VAPT)

Vulnerability Assessment and Penetration Testing (VAPT) are the security services that emphasis on identifying vulnerabilities in the network, server, web application and system infrastructure. Both the services serves a different purpose and are carried out to accomplish diverse however complimentary objectives.

Vulnerability Assessment (VA)

A Vulnerability Assessment is an automated review of network devices, servers, web applications and systems to identify key vulnerabilities and configuration issues that an attacker can exploit. VA is generally conducted within the network on internal devices and it can be carried out as often as every day.Vulnerability Assessment is the answer to question "What is the potential weakness on my network?"

Penetration Testing (PT)

A Penetration Test is an in-depth expert-driven activity focused on identifying various possible paths an attacker could use to break into the network. In-addition with the vulnerabilities it also identifies the potential damage and further compromise an attacker could carry out once they are past the perimeter of security. Penetration Testing is the answer of question "What can be a possible path an attacker can use to exploit the vulnerability?"

Vulnerability Assessment and Penetration testing Process :

Goals and objectives

This is where we define the Goals and Objectives of Vulnerability assessment & Penetration Testing.
Scope: We need to clearly define the scope of assignment while performing the tests and assessments. There are three possible scopes that exists :

  • Black Box Testing: When you don't have any prior knowledge of the internal network and system and you are testing from any external network. No code examination is done here, only you have the high level inputs such as URL by which you penetrate into the network.
  • Grey Box Testing: It's the combination of both black box testing and white box testing. We test from either the external or internal network with the knowledge of internal network and system.
  • White Box Testing: It's also known as internal testing. Testing within the internal network with the prior information of the internal network. Here the tester has the complete details about the target like IP addresses, operating systems, systems, network, and source code. In this test the code examination is done to find the design and developmental errors.

Information Gathering

Collecting as much information about the IT environment like networks, IP addresses, operating system versions, etc. it's applicable to all the types of scope defined above.

Vulnerability Detection

In this phase scanners com e into account. Vulnerability scanners such as Nessus, OpenVas, and Nmap etc. are used for scanning the network and IT environment for vulnerabilities.

Information Analysis and planning

Analysis of the identified vulnerabilities in the above process and device the plan to penetrate into the network and system.

How should we define the scope for a Vulnerability Assessment & Penetration Testing (VAPT)?

The scope for each audit depends on the specific company, industry, compliance and standards they follow, etc. However, the following are some general guidelines that you should consider:

  • All the devices with an IP address should be considered for a VAPT activity
  • Penetration Testing should focus on your organizations external parameters (IP Addresses, Offices, People, etc)
  • Vulnerability Assessment should focus on your internal infrastructure (servers, databases, switches, routers, desktops, firewalls, laptops, etc.)

Need of Vulnerability Assessment & Penetration Testing (VAPT)?

Cyber-attacks and threats are a real-world problem nowadays with thousands of networks and websites being compromised every day. Some of the normal reasons of why to conduct a Vulnerability Assessment & Penetration Testing (VAPT) are as follows:

  • Compliance - An extensive number of industry standards and regulation have included Vulnerability Assessment and Penetration Testing (VAPT) as an obligatory prerequisite
  • Customer needs - It is getting to be regular practice today for clients to ask for Security Certifications from their partners or venders.
  • Security validation - Vulnerability Assessment & Penetration Testing (VAPT) helps validate your security controls and measures against real-world attacks.
  • Best-practice & security of Data - As attackers scale and threats advance, there is a need within organizations to conduct security audits in a timely manner to protect their data and systems from evolving threats.
  • Prevention from zero day Attacks: A zero day vulnerability is a computer software vulnerability that is unknown to everyone and hackers target the unknown vulnerabilities and exploit the network before the developers or those who mitigates has the opportunity to create a patch to fix the vulnerability. So VAPT audits can help an organization to identify the hidden vulnerability in the network and system.

Compliance standards or certifications for Vulnerability Assessment & Penetration Testing (VAPT)?

Vulnerability Assessment & Penetration Testing (VAPT) are largely mandated across various industries and sectors. There are a wide-range of compliance standards that need such audits to be carried out periodically. Some of the well-known standards are:

  • ISO 27002 / ISO 27001 (ISMS Requirement and implementation)
  • PCI DSS - Payment Card Industry Data Security Standard
  • SOX - Sarbans-Oxley Act
  • HIPAA - Health Insurance Portability and Accountability Act
  • TRAI - Telecom Regulatory Authority of India
  • DOT - Department of Telecommunication
  • CERT-In - Cyber Emergency Response Team of India
  • GLBA - The Gramm-Leach-Bliley Act
  • FISMA - The Federal Information Security Management Act
  • NIST - National Institute of Standards and Technology
  • SAS 70 - Statement on Auditing Standards
  • COBIT - Control Objectives for Information and Related Technology

Vulnerability Assessment & Penetration Testing (VAPT) Results?

Vulnerability Assessment & Penetration Testing (VAPT) activity results in the following :

Executive Report: A high level overview of the activity conducted, summary of issues identified, risk scores and action items. It should be something that even a non-technical reader can review and gain insight into the security concerns highlighted in the report. While IT staffers may need all the technical details, executives are not required to understand the technology. They need to recognize business risk, something a good executive summary will effectively convey. It is vital that business leaders understand what's at stake to make informed decisions for their companies, and the executive summary is essential to delivering that understanding.

Technical Report : It's a detailed report that explains each issue identified, step-by-step POCs for each issue, code and configuration examples to fix the issue and reference links for further details. Most reports use some sort of rating system for example (CVSS Score) to measure the criticality of risk, but seldom do they take the time to explain the risk. The client's IT department needs to make instant, impactful decisions on how best to resolve vulnerabilities. To do so, they require approval from the executives. To just state that something is risky does not really means risk all the time. We also need to understand the false positives.

Potential impact of vulnerability: Risk can be calculated based on these four factors: Value of asset, Potential Vulnerability, Potential impact of vulnerability on business(Threat impact) and likelihood or occurrence. Likelihood is standard in most assessment reports. Of course, the odds of an exploitation, though important aren't sufficient to define risk. You wouldn't rank a deep-rooted remote code execution lesser than an email address of a developer clearly present in an HTML script. This is because the first would be more impactful to the client. An assessment report isn't only for the IT staff. Administrators need to see a separate of how vulnerability would straightforwardly influence their organization specifically. Calculating both the likelihood and potential impact of an exploitation into the overall risk is a noteworthy part in an excellent report.

Web Security : Web Exploitation Fixation , What to look for in a vapt report

Multiple Vulnerability Remediation Options: Most pentest reports will incorporate a conventional, high level description of how to deal with these issues; however, these generic "catch-all" remediation guides often fall short when it comes to the unique context of the customer's needs. If a client has a vulnerable service running on a webserver that they rely on, the remediation should offer more than just telling them to disable the service altogether. Of course, it's important to let the client know that to block certain attacks, there's a straightforward method of filtering for SQL injections, XSS, or configuring their firewall. That said, a quality pentest report will give you multiple remediation options that are detailed enough to prepare the client's IT team for an immediate resolution. Assuming the internal staff already recognizes how to remediate all vulnerabilities significantly, reduces the value of the pentesting.

Pentesting Services

The scope of pentesting services depends on the kind of operation you wish to explore on the target system. So depending on the target system, the security tester has to decide the type of pentesting services. The pentesting services can be divided into the following category:

Web Security : Web Exploitation Fixation , What to look for in a vapt report

Network Services Tests Network Pentesting is one of the major requirements for the pen testers. It aims to discover the vulnerabilities in your network devices, hosts and system. Now the network can have both internal and external access points, so it's very important to test the network internally as well as remotely from outside the network to identify the weak spots. The tester needs to target the various network areas in their pen testing including firewall configuration tests, stateful firewall analysis, firewall bypassing tests, IDS, IPS deception, router configuration. There are a set of software modules which the penetration testers should cover such as: SSH client/server test, Network databases like MySQL/SQL servers, SMTP mail servers, FTP client/server tests, etc.

Web Application Tests With the increase of threats related to web application exploitation, there is a need of testing the web application on the regular basis, it needs systematic planning and time investment. It works by using the automated tools such as Nessus to identify the potential vulnerabilities, security flaw in the web application and its components (Source code, databases, backend network) which helps in prioritization of the identified vulnerabilities and threats to find the possible ways to mitigate them.

Client side Tests The client side tests are performed to keep a check on the security threats that can emerge locally. For Example, There may be various applications or programs running on the system of the client that contains the vulnerabilities that an attacker can exploit. It might be the adobe Photoshop or MS word or Browsers like Firefox, Chrome, and Safari that can be the medium for the attackers to exploit the whole network. So tests should be conducted to find such flaws in a continuous manner.

Wireless Network Tests Wireless Network tests aims to analyze the wireless devices deployed on the client site for example tablets, iPods, Notebooks etc. It also includes testing the various protocols used for configuring the wireless devices and the access points for wireless setups which enables to identify the weak spot of the devices as well as the helps in identification of the ones violating the access rights. These kinds of tests take place at the customer end.

Social Engineering tests These types of tests are essential part of the pentesting. It finds the way to verify the Human Network of an organization. Now this Social Engineering test can be divided into further two categories: Remote testing: Social engineering like phishing can trick the employee to compromise the very vital and confidential information of an organization. So, tester could conduct such an attack by sending the phishing Emails.

Physical Tests: This type of test requires direct contact with the employee to retrieve the confidential information of the company. It requires the human handling techniques like imitation, intimidation and Vishing (tricking someone to retrieve the vital information via phone). Note: tester must inform the employer before conducting any social engineering tests.

Conclusion: A penetration test is very important for any organization who takes cyber security seriously. It's a proactive approach to maintaining high level of security and protection from the hackers out there because if a penetration tester can exploit the vulnerability and can compromise your network then a real hacker can too. As we have heard of the famous wannacry ransomware attack that affected over 2 lakh computers globally and demanded ransom payments in the form of bit coins to unlock the systems. This attack has affected many big organizations. With such massive cyber-attacks happening these days, it has become very important to do the penetration testing on the regular intervals to keep our information system protected against security breaches.