Vulnerability Assessment vs. Penetration Test

It is all about Vulnerabilities. 

So, what is the Vulnerability? It is a Weakness in an Information System or System Security Procedures or Internal Controls or System Design or System Implementation or Configuration/Setup that will raise risk and expose it to be exploited or triggered by a threat actor. 

As Window Snyder - Chief Security Officer at Square, Inc. said: "One single vulnerability is all an attacker needs.".  

To find this vulnerability we need to search for it and to search for it we need to test the system from a security perspective to find it. So, Security Testing is to identify the threats in or on the system and measure its potential vulnerabilities "Weaknesses" so these threats and vulnerabilities must be remediated to reduce the risk. In other words, Security Tests are to identify all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.

There is a considerable amount of confusion in the industry regarding the differences between Vulnerability Scanning/Assessment (VA) and Penetration Testing (Pentest), as the two phrases are commonly interchanged. However, their meaning and implications are different. 

The Vulnerability Assessment simply identifies and reports known vulnerabilities, whereas a Penetration Test (Pentest) identifies known/unknown vulnerabilities and attempts to exploit them to determine whether unauthorized access or other malicious activity is possible. Sure, I will not depend on these definitions. I will elaborate more about it later in this article. But, to start we need to know at least a simple definition of these two essential tests in Information Security.

Before start explaining about definitions of these tests. I would like to explain why I prefer to begin the article with the Vulnerability Assessment then moves to Penetration Test. 

Vuleraibiltiey Assessment is a standalone exercise and also it is one of the fundamental phases in Penetration Testing. So, starting with Vulnerability Assessment will save us some time by not repeating the same definition when we reach it in the Pentation Test.  

What is Vulnerability Assessment (VA)? 

Many organizations undertake vulnerability assessments to tick a box, usually for compliance. Which is a wrong understanding for a very very very important and cornerstone exercise in Information Security !!! Imagine a thief reconnaissance for and identifying a back entrance to your house, but not entering. And you don't know about that back entrance. Isn't that will be scary because he/she may use it to harm you somehow. So, you should be alerted and close this entrance.

Vulnerability Assessment is a scan which is following a process of identifying, quantifying, and prioritizing (or ranking) the severity of the vulnerabilities in a system based on known vulnerabilities. It uses an automated tool in this process to check the systems if it has vulnerabilities.

These tools depend on Known Vuleraibilties retrieved from the Vulnerability Database like OSVDB, NVD,...etc. Which is updated frequently with the latest vulnerabilities.

The results of the scan will show how an application, website, server, or other systems are vulnerable, but it doesn’t exploit it.

This exercise is not fully automated it needs the involvement of an Infosec expertise to analyze the resulted report then filter out the false positive based on research that he/she will perform and his/her experience. Moreover, filtering and sorting the results of the report has to be based on Business Criticality because not all vulnerabilities will be patched as soon as the report is released. In the last stage, a final report will be shared with the concerned team like System Administrator or Network Administrator. Accordingly, they can work on remediating the vulnerabilities. Just to mention that this is one of the main phases that is performed by adversaries "Hackers" while they are planning to attack you.

Performing a Vulnerability Assessment on your organization's Systems, Servers, and Applications more frequently is recommended. The schedule for this exercise must be performed at least every month or less on critical Business Systems. Also, it is recommended to be performed on newly implemented applications, Servers, and Systems before launching it.

The article "Vulnerability Management (VM) vs. System Admins. It is a challenge !!!" will explain more about the implementation of Vulnerability Assessment and Vulnerability Manamgnet in the organization.

What is the Penetration Test (Pentest)? 

Penetration testing is a monitoring control, which periodically checks the efficiency of the vulnerability management process. If vulnerability management is done right, penetration testing should turn out to be a “blank report”. Which is not easy!!!

Penetration testing is a method of identifying and testing vulnerabilities or gaps in IT security (systems or networks or applications) that could be exploited in external or internal organization infrastructure or applications, leaving your business at greater risk. A penetration test usually begins with an automated vulnerability scan but goes into far more depth. In our thief scenario, this time they are checking for a back entrance and then actually entering the building.

This testing many people might consider ‘hacking’ which is a systematic examination of organization applications or networks or systems undertaken by qualified, experienced security experts (consultants) who have been given permission to exploit the vulnerabilities and misconfigurations they find to determine their potential impact. The consultant will work to a defined test methodology to enter the network through the identified gaps (hence the term, ‘penetration’), using their knowledge, Open Source information, and a range of tools. 

Once vulnerabilities have been identified and tested in your systems and networks, they provide expert advice for strengthening your defenses and how to remediate them by issuing a comprehensive report about the full pentest exercise. 

Penetration testing is not enough by itself because it is an exercise that will consume time and effort so it will take a longer time than Vulnerability Assessment. So, Penetration testing frequency to be performed on the organization as highly regulated industries is once or twice a year it will be enough. Just to mention in this part that Penetration testing can be done on newly developed and implemented applications or systems before or after it went live. But that will not replace the application security review testing phase on the newly developed applications or systems that need to be performed as part of the application or system project test phase.

Going through all Security Tests will take longer and will make this article boring. The purpose of this article is to explain the difference between VA (VuleraibiltiyAsssessment) and PT (Pentest) only. 

By Abdulla Abusaif, CISSP, GMON, PMP, CEH, Security

Information Security in Organization Structure (CISO)

In this article, I will introduce the concept of Information Security (InfoSec) as an independent section or department in the organization. I will start from the beginning by explaining what is information and what is information in the organization until we reach to a point where we can differentiate between Information Technology (IT) and Information Security (InfoSec) which is somehow related terms and also a related department in the organization. But, it should to independent departments in the organization.

Just to mention at the beginning that the purpose of this article is not to reduce the importance of IT in the organization but to clarify that IT is a department that is handling an important part of the organization strategy and goals and InfoSec also handling another impotent part of the organization strategy and goals.

Better to start by explaining what is Information. It is something that people can learn, know about, or understand. For example, the book contains information about some subject. This information is important to the book because without it the book will be meaningless. Another definition of the information form technical perspective (from TechTarget Website) Information is stimuli that have to mean in some context for its receiver. When information is entered into and stored in a computer, it is generally referred to as data. After processing (such as formatting and printing), output data can again be perceived as information (refer to Click here). But, also information can be physical not only digital.

Information is an asset to any organization or we can say it is the main asset of the organization. So, after the evolution of computer and using the computer in the enterprise. Information mostly moved from physical use to digital use and all the processing and operations performed using systems and software. Here we can say the IT department started and as old people in this area know that this section was a very small section under another department not related to IT like account. Because mainly it was handling data entry to mainframes and it use to be 2 to 3 employees. With the growth of using the technology and increasing demand for using the technology in the enterprise the IT department started to be as a standalone department in the organization and at that time the main focus of IT department is the performance of entering the data and processing it the correct way. And as you can see these days IT department is one of the main department in many organizations and it contains multiple sections under it like Infrastructure, Support, development ,and some time projects.

Nowadays with the increasing use of digital technology and the organizations depending on the technology in day to day operation, a new demand comes to the Horizon which is securing that information in the systems. By saying securing not only means prevent this information from being exposed to hackers or leaking it. But, balanced protection of the Confidentiality, Integrity , and Availability (CIA) tried which is the main target and purpose of InfoSec department in the organization.

Information Technology (IT) Department roles and responsibilities in the organization:

IT is department within a company that is charged with establishing, monitoring and maintaining information technology systems and services. IT organization is typically managed by a Chief Information Officer (CIO) or IT Director. Roles and responsibilities it may explained in different way but I chooses below brief roles and responsibilities explanation (reference for below explanation click here).

• Governance refers to the implementation of operational parameters for working units and individuals' use of IT systems, architecture, and networks. The governance of the master data is based on workflow processes that integrate business rules and subject matter domain expertise. This is part of the conventional IT security as well as the data assurance for which the IT department is also responsible.
• Infrastructure refers to the hardware components, the network, the circuitry, and all other equipment necessary to make an IT system function according to the established needs and system "size" of the company.
• Functionality is perhaps the most apparent task performed by the IT department. It refers to creating and maintaining operational applications; developing, securing, and storing electronic data that belongs to the organization; and assisting in the use of software and data management to all functional areas of the organization.

Information Security (InfoSec) Department roles and responsibilities in the organization:

Instead of waiting for a data breach or security incident, the CISO is tasked with anticipating new threats and actively working to prevent them from occurring. The CISO must work with other executives across different departments to ensure that security systems are working smoothly to reduce the organization's operational risks in the face of a security attack.

• Conducting employee security awareness training, 
• Developing secure business and communication practices, 
• Identifying security objectives and metrics, 
• Choosing and purchasing security products from vendors, 
• Ensuring that the company is in regulatory compliance with the rules for relevant bodies 
• Enforcing adherence to security practices.
• Ensuring the company's data privacy is secure,
• Managing the Computer Security Incident Response Team and conducting electronic discovery and digital forensic investigations.

Refer to click link.

Finally, the main purpose of writing this article is to express my opinion and to show that InfoSec team deserves to be under an independent department with standalone roles and responsibilities and it will be led by Chief Information Security Officer. May be currently a lot of CEO's doesn't see this but soon it will be the practice.

Password family !!! Simple solution for password management.

Passwords are the weakest and most popular factor of authentication to access websites and systems. Now a day all systems demand specific criteria to set the password, for example, the password complexity which it should include capital letters, small letters, special characters, and numbers. Also, it should be expired after a specific period of time for example 60 or 90 days. Moreover, using the password history to avoid using password already used. And more criteria that make the user life difficult with passwords.

These rules and restrictions make the users abusing the password. For example, by using the same password in all accounts belong to them. Writing the password somewhere so they can come back for it when they need it. In that way, they make the job of the attacker much easier to hack their accounts and by hacking one password they will have access to all your accounts. 

How to hack the password? different techniques available. The most effective technique used currently is Social Engineering which is trying to hack the user him self by sending phishing email or trying to shoulder surf the user to see the password while they typing it. Another technique is by using brute force which is trying all possibilities of the password until the correct password match. For example, If the password used for your wifi router at home is 11223344 it requires to break it a couple of minutes and the password will be available for the attacker he can enjoy using your internet access for free !!!

One of the best solutions for this issue is to use a long password or passphrase. But, this will raise a problem for the user because it will be hard for them to remember all of these passwords (Password management). 

So, how to make a long password for all the systems that you have access on without writing it somewhere and make it vulnerable to hacking ??? Using Password Family technique which I will explain in this article and I hope that this concept will solve a big problem facing wide area of users. 

As we explained previously passwords should include capital letters, small letters, numbers, and special characters. So, we should work on one password contain two parts. Fix part which will include long and complex passphrase then attach to it the variable part that will help you to differentiate between each account password access you have. 

The fix the part in the password family technique can be at the beginning of the password or in middle or at the end and the same for the variable part.

We will explain the concept through an example.

The first step is to work on a fixed part for your password family. Here we chose this phrase to be the fixed part of the password family:  HeLL0#AhM3d_@4_. As you mention it is long phrase contain 15 Characters and include all complexity requirements. By checking the strength of this password it is 100% strong refer to the site The Password Meter to check the strength. It will need 16 Billion years to crack it. Refer to How strong is my password? site to check it. 

The fix part you need to memories it always and don't forget it because it will be the basis of your password family. DON'T share it with anybody or write it anywhere. It should be in your mind only. If it is compromised you have to reinitiate your password family again. And change all your passwords used with in this password family.  

The second step is to decide where to use the fixed part. Either at the beginning of the password or in the middle or at the end. In this example, we chose to be at the beginning. 

Now you need to create an account in Gmail and you need to enter your password. hence, use the fixed part of your password and add to it the variable part which you need to decide what is it at the time of creating the account and try to choose a phrase related to that account. In this example it is Gmail. therefore, the variable part can be gMail (Note I chose the second char to be capital letter just to add more strength in the password. It can be all small letter). Consequently, your Gmail account password will be:

 gMailHeLL0#AhM3d_@4_

The final password needs 43 QUINTILLION YEARS to crack it. Which is what we need...

In this way, you can create all your passwords and you need only to memories the fixed part of your password.  

We will create another password to clarify the concept more. You want to create an account on Netflix and you need to create a new password. Your fix part is ready with you and already you memorize it. So, we need to work on the variable part which is, in this case, can be: neTflix.

your password for Netflix account is: 

neTflixHeLL0#AhM3d_@4_

This password needs 252 SEXTILLION YEARS to crack it.

To overcome the problem of password expires add an extension to the password like _1. 

And so on you can build your password family. And create strong password without the need to write it down and expose it to hackers.

By Abdulla Abusaif, CISSP, PMP, CEH

Vulnerability Management (VM) vs. System Admins. It is a challenge !!!

I was facing problem in arranging my thoughts on how I can manage the vulnerability scan results of the servers and other equipment on my network.  I wrote this article to bring the results of the research that I performed in this field to help others in managing the vulnerabilities and resolve it as soon as possible. Because the main factor in vulnerability management is time as soon as you resolve it as soon as you will be secure.  

Vulnerability assessment (VA) is part of the vulnerability management (VM) tasks that the security professional perform on regular basis. The first step in any VM task is to discover your network and find all the assets you have to assess the vulnerabilities on it. So, you need a tool to map and discover your network and run it. Keep in mind to perform the discovery scan on a frequent basis to keep your asset list up to date.  The second step reviews the results and group the assets based on an operating system that assets run on. The method I used to group the assets is:  

• Windows OS.  
• Linux and Unix ( I used generally Unix)  
• Network equipment  

This grouping will help in running the vulnerability assessment on scheduled base for frequent periods. For example, the Windows group can be scheduled on first Friday of the month to scan all windows assets. Schedule the second group to run on second Friday of the month and etc. Choosing the time of the scan on weekend better to avoid the overhead happens on the network and to review and analyze the results on the first working day of the week. Always review your results of discovery and grouping with the admins on each group to help in making the grouping more accurate.    

As the results of the vulnerability scan are ready with you. You can start the next stage which is the reporting. Always better to filter the most critical high severity vulnerabilities as the first step to resolve the vulnerabilities with admins. So, I recommend structuring the vulnerability management task to start with the reports showing high severity exploitable vulnerabilities to be resolved. That is better to make the task easy to be managed and easy to be tracked by admins and the security professional working on this task. Then as the second stage of reporting produce reports with the remaining vulnerabilities with lower severity.   

For reporting it is recommended to group the assets as groups based on application/solution running on the assets/servers. For example Domain Controllers group, Exchange group, ...etc. Grouping based on application/solution will make the task much easier for the admins to patch the servers and test the patch. Because the main problem with the admins is to test the patching needed to resolve the vulnerabilities it is usually will make a problem with the application running on these servers. Like compatibility issues.     

Reporting the vulnerabilities can be categorized into two categories: admin reports and management reports. Admins report is more technical details reports that show the servers details with the vulnerabilities related to it. Details of admins report contains only the relevant information needed to the admin to avoid confusion and the report can list all the vulnerabilities with a brief description of the vulnerability and the solution for the vulnerability usually mention the configuration or the patch needs to be applied to solve that vulnerability. On the other hand,  Management report should show the total vulnerabilities of all servers in graphic and summary counts view that explains the status of the vulnerabilities in the organization network.  Finally, share high severity exploitable vulnerabilities reports with the concerned persons.  

In this stage, security professional created the structure of the vulnerability management task in a way that can be tracked with the related admins and they have to start the follow-up and SLA stage to resolve the vulnerabilities as soon as possible. This task can be performed using excel sheet or dedicated solution to track the resolved vulnerabilities.   

Finally, vulnerability management is a task that is must be accomplished on a frequent basis. Monthly is a good frequency to give the time to resolve the vulnerabilities.   

By Abdulla Abusaif, CISSP, PMP