Your Cause. October 05, Technical Summary. External Vulnerability Assessment. Your Cause External

Transcription

1 Your Cause Technical Summary External Vulnerability Assessment Your Cause External October 05, 2015 Robert Gorski Sr. Security Consultant

2 Confidential The conclusions and recommendations in this report represent the opinions of Pivot Point Security. Determinations of appropriate corrective action(s) are the responsibility of the entity receiving the report This report and/or any other materials furnished by Pivot Point Security in connection with this engagement is confidential and may not be duplicated, modified or otherwise reproduced and distributed without the express prior written consent of Pivot Point Security or Your Cause. Because this work may contain copyrighted images or other material, permission from the copyright holder may also be necessary if you wish to reproduce. Confidential File For Your Cause Page 2

3 Table Of Contents Executive Summary Scope Of Engagement 4 Test Details Testing Scope 5 Testing Approach 6 Engagement Approach 7 Testing Tools 8 Technical Summary Relative Security View 9 Host Relative View 10 Concerned Hosts 11 "Significant" Vulnerabilities 12 "Frequent" Vulnerabilities 13 Vulnerability/Risk per Service 14 Time View 15 Time View and Age 16 Vulnerability/Risk as a Function of Age 17 New Hosts 18 Missing Hosts 19 Confidential File For Your Cause Page 3

4 Executive Summary Scope of Engagement Pivot Point Security (PPS) was engaged by Your Cause to conduct a network vulnerability assessment against its external Information Technology infrastructure. The objective of the test was to identify any information system vulnerabilities that may allow levels of un-intended access. The results of this test were also intended to achieve Your Cause s requirement for third party attestation of their information security posture. Your Cause determined that the services PPS defines as a Tier 2 Assess level External Vulnerability Assessment would best achieve their requirements. The assessment was conducted on Tuesday, September 15, Details relevant to interpreting this report (e.g., scope, testing posture, approach, limitations) are included in the "Technical Summary" report. This report is also accompanied by a "Results Details" spreadsheet that includes the vulnerability details that this report summarizes. Scoring Methodology It is important to note that PPS utilizes the Common Vulnerability Scoring System, an open trusted framework that standardizes vulnerability reporting across all major software and hardware platforms. This provides a consistent view of your vulnerability level independent of the company and tools being used to perform the assessment. Confidential File For Your Cause Page 4

5 Executive Summary Testing Scope Our testing was limited to the following hosts/subnets: , , , , , , Our testing is limited to the 7 devices that we identified during this testing. For reference, Your Cause indicated that we should have expected to see 7 devices during our testing. Your Cause should review the detailed device list in our vulnerability spreadsheet to ensure that it includes all relevant hosts. The assessment was conducted from the perspective of a malicious individual with limited knowledge of Your Cause s infrastructure except that which can be determined by normal malicious reconnaissance. This assessment included: Technical foot-printing leveraging leading Vulnerability Assessment tools from a single perspective on the public Internet Confidential File For Your Cause Page 5

6 Executive Summary Limitations Our testing was only limited by the rules of engagement associated with the specific test that we were engaged for: No limitations were encountered. Testing Approach Our proven PPS Vulnerability Assessment/Penetration Testing Methodology (illustrated below) is derived from best practices including OSSTMM, CREST, PTES, and our dozen plus years of experience. We have also scaled the methodology to account for differing risks and preferred engagement modalities to ensure that we can provide the right testing and assurance at the right cost. Confidential File For Your Cause Page 6

7 Executive Summary Engagement Approach PPS was engaged to conduct a vulnerability assessment. As the relative level of assurance that vulnerability assessment tests provide varies by business and technical context, we provide a relative level of assurance for the selected options for each engagement process. 1. Scope Definition Posture: White/White *** Perspective(s): Internet & Internet Whitelisted ***** Objective: Security Validation (Moderate Risk) *** Target: Public Facing Systems Pivoting: No* Sampling: No***** DoS: No*** 2. Reconnaissance Deep Internet Reconnaissance: No * Discovery: Client provided list** Enumeration: IPV4 Network Services (full TCP/UDP)*** 3. Vulnerability Detection Vulnerability Scanning: Nessus (safe checks) **** Vulnerability Validation: Limited (critical only)** Analysis/Planning: Milton Targeting based on CVSS Exploitability *** 4. Exploitation Automated Exploitation: Metasploit Professional (Moderate) *** Manual Exploitation: Limited (CVSS > 7.5 only) *** Exploit Mechanisms: Known-Good *** Privilege Escalation: No * Pivoting: No * 5. Reporting & Remediation Reporting Mechanism: Web Based & Formal Report QA: Technical & Business (& client feedback) Vulnerability Coverage: Yes***** Risk Coverage: No*** Impact Coverage: No* Read-Out Meeting: Yes*** Remediation Support: Limited** Confidential File For Your Cause Page 7

8 Executive Summary Testing Tools PPS leverages a Linux based system specifically designed/equipped for digital forensics and penetration testing. The system is equipped with dozens of open source and commercial penetration testing programs (e.g., nmap, Wireshark, and Aircrack-ng). PPS leverages the following tools extensively during network penetration tests of this nature: Nessus Professional (licensed) Confidential File For Your Cause Page 8

9 This section of the report is intended to provide an understanding of the test results in a manner that can be used to guide the organization's remediation planning activities. This summary is intended to be used in concert with the vulnerability spreadsheet which contains remediation details and the ability to further filter/sort the data to support your efforts. Each "view" provides another perspective/lens to analyze the data from. Relative Security View Provides a relative benchmark of your vulnerability and risk to other organizations that we have tested. This value is a weighted average generated by Pivot Point Security at the time of the scan. Your Cause was assigned to the "SAAS" Industry which rolls up into the "Technology Services" Meta Industry. Confidential File For Your Cause Page 9

10 Host Relative View Most Vulnerable Hosts Details which hosts have the highest level of vulnerability to assist in prioritizing remediation activities. (Host Vulnerability = cumulative CVSS Base Score.) IP Address Host Name Host Vulnerability Critical High Medium Low % of Org Vulnerability % Total 100% Most at Risk Hosts Details which hosts have the highest level of risk (vulnerability + exploitability + fix ability) to assist in prioritizing remediation activities. (Host Risk = cumulative CVSS Temporal Score.) IP Address Host Name Host Risk Critical High Medium Low % of Org Risk % Total 100% Confidential File For Your Cause Page 10

11 Concerning Hosts The hosts below are likely subject to exploit. Please see detail on the concern rationale and review/remediate based on risk in your environment. IP Address Host Name Exploit Framework Metasploit Exploit Framework Core Exploit Framework Canvas Other/No Tool Required No Hosts Found Confidential File For Your Cause Page 11

12 Vulnerability/Risk View Top 10 Most "Significant" Vulnerabilities Details the specific technical vulnerabilities that make the organization most vulnerable/put the organization at the most risk to assist in prioritizing remediation activities. Plugin ID Description Count Host Vulnerability Host Risk SSL RC4 Cipher Suites Supported 1 100% 100% 100% 100% Confidential File For Your Cause Page 12

13 Top 10 Most "Frequent" Vulnerabilities Details the specific technical vulnerabilities that make the organization most vulnerable/put the organization at the most risk to assist in prioritizing remediation activities. Plugin ID Description Count Host Vulnerability Host Risk SSL RC4 Cipher Suites Supported 1 100% 100% 100% 100% Confidential File For Your Cause Page 13

14 Vulnerability/Risk per Service Provides a relative distribution of vulnerability/risk across different services to assist in prioritizing remediation activities. Host Vulnerability (%) www % Host Risk (%) www % Confidential File For Your Cause Page 14

15 Time View Historical Vulnerability/Risk Provides a historical view (if available) of vulnerability & risk to gauge the effectiveness of your vulnerability/configuration management practices over time. Oldest Vulnerabilities Details the oldest vulnerabilities and their impact on overall organizational vulnerability/risk levels to assist in prioritizing remediation activities. Plugin ID Description Age Count Host Vulnerability Host Risk SSL RC4 Cipher Suites Supported % 100% 100% 100% Confidential File For Your Cause Page 15

16 Vulnerability Age Benchmarking Provides a measure of the average age of vulnerabilities as compared to other organizations' levels to assist in prioritizing remediation activities. Average Vulnerability Age by Platform Provides a measure of the average age of vulnerabilities across platforms levels to assist in prioritizing remediation activities. Confidential File For Your Cause Page 16

17 Vulnerability/Risk as a Function of Age Provides a measure of the overall vulnerability/risk as a function of vulnerability age (medium, high, & critical risks) to assist in prioritizing remediation activities. Host Vulnerability (%) 25-36M 100% Host Risk (%) 25-36M 100% Confidential File For Your Cause Page 17

18 New Hosts Details hosts that were not visible in the last scan to assist in identifying unauthorized devices connecting to your network. No New Hosts IP Address Host Name Platform Confidential File For Your Cause Page 18

19 Missing Hosts Details hosts that were visible in the last scan but not this scan to assist in identifying hosts that may not be being patched. No Missing Hosts IP Address Host Name Platform Confidential File For Your Cause Page 19