STRENGTHENING INFOMATION SECURITY WITH VAPT

Transcription

1 STRENGTHENING INFOMATION SECURITY WITH VAPT Sherin S Panikar Institute of Management and Computer Studies Thane (West), India. University of Mumbai [email protected] Abstract Vulnerability Assessment and Penetration Testing (VAPT) provides enterprises with a more comprehensive application evaluation than any single test alone. Using the Vulnerability Assessment and Penetration Testing (VAPT) approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks. Vulnerabilities can be found in applications from third-party vendors and internally made software, but most of these flaws are easily fixed once found. Using a VAPT provider enables IT security teams to focus on mitigating critical vulnerabilities while the VAPT provider continues to discover and classify vulnerabilities. However, it has also brought new levels of security concerns and Cyber threats. It exposes valuable corporate information, mission critical business applications and consumers private information to more risk than before. But security of IT infrastructure is something that Organizations cant afford to compromise. Vulnerability Assessment and Penetration Testing (VAPT) helps to assess the effectiveness or ineffectiveness of the security infrastructure installed by the Organizations to remain protected from the emerging Cyber threats. Hence it enables the Organizations to install patches and adopt required security measures to safeguard themselves from possible cyber attacks. This paper describes in brief the methodologies and techniques involved in VAPT, Along with its benefits and precautions. The paper aims at creating high level of Cyber Security awareness and importance at all levels of an Organization, enabling them to adopt required up-todate security measures and remain protected from various Cyber Attacks. Keywords Information Security, Cyber Security, InfoSec, CyberSec, VAPT,Metasploit Penetration Testing, Vulnerability Assessment, Hacking, Ethical Hacking, Metasploit Framework. Computer Hacking and Forensics, I. INTRODUCTION Commonly deployed security measures include firewalls, intrusion detection systems and anti-virus software, but security-conscious organisations go one step further by trying to understand the possible weaknesses of their deployed network, rather than just a paper-based analysis of the documented system. This can be achieved by employing a highly skilled security specialist to attempt to break-in to the network and related systems to determine what vulnerabilities are present. This service would typically include recommendations for mitigating the vulnerabilities and/or re-configuration to block these potential holes in the network. These security specialists are referred to as penetration testers or pen-testers. A penetration test can therefore be defined as the process of systematically and actively testing a deployed network to determine what vulnerabilities may be present and to create a report with recommendations to mitigate or resolve these vulnerabilities. While, Penetration Testing, aims at assessing the difficulty level for someone (basically an attacker/hacker) to penetrate an Organization's Cyber security controls against unauthorized access to its information and information systems. VAPT is done by simulating an unauthorized user (attacker) attacking the system using either Automated Tools or Manual Excellence or a combination of both. Hence the process of VAPT is sometimes also referred as Ethical Hacking. VAPT helps in identifying Cyber threats & vulnerabilities under controlled circumstances, so that they can be eliminated before actual hackers/attackers aim to exploit it.

2 II. AN OVERVIEW OF VA&PT The complete process of VAPT is conducted in two major parts. The first part deals with the Analysis and Discovery of existing Vulnerabilities, which may leads to various Cyber threat. The second part deals with the Exploitation of the detected set of Vulnerabilities, to judge their Severity and Impact over the Target system. A. Vulnerability Assessment Vulnerability is a software or hardware bug, or misconfiguration that a malicious individual can exploit. The existence of vulnerability in a system imposes a Threat. These vulnerabilities are ranked on the basis of their Severity and Impact. Communities like OWASP and SANS provide the standard list of most common and serious security vulnerabilities. The OWASP Top 10 list emphasizes on Web Application Security, and represents a broad consensus about what the most critical web application security flaws are. Similarly the CWE/SANS Top 25 Vulnerability list, maintained by security experts from SANS and MITRE, aims at listing the top 25 vulnerabilities in all kind of applications. Both of these lists help in assessing the severity of the vulnerabilities found. B. Vulnerability Assessment Strategies. III. COMPARISION: Penetration Testing & Vulnerability Assessment A vulnerability assessment usually includes a mapping of the network and systems connected to it, an identification of the services and versions of services running and the creation of catalogue of the vulnerable systems. A vulnerability assessment normally forms the first part of a penetration test. The additional step in a penetration test is the exploitation of any detected vulnerabilities, to confirm their existence, and to determine the damage that might result due to the vulnerability being exploited and the resulting impact on the organisation. In comparison to a penetration test a vulnerability assessment is not so intrusive and does not always require the same technical capabilities. Unfortunately it may be impossible to conduct such a thorough assessment that would guarantee that the most damaging vulnerabilities (i.e., high risk) have been identified. The difference between a penetration test and a vulnerability assessment is becoming a significant issue in the penetration testing profession. There are many penetration testers that are only capable of performing vulnerability assessments and yet present themselves as penetration testers. If a company is unfamiliar with the process they may think a networked system has been fully assessed, when this is not the case. IV. VAPT REQUIREMENTS There are a number of organisational issues that need to be addressed before a network penetration test or security review. These requirements can include legal and contractual issues specifying liability etc. This may also include the technical requirements involved in the penetration test: The range of IP addresses over which the test is to be conducted, time constraints, the source IP address and the systems that are to be targeted (and also those that are not to be targeted) as part of the test. There may also be a requirement to inform specific individuals that the test is taking place, for example in relation to health and safety issues where the target is a safety critical system. These requirements can vary across the globe, depending on legal structures in the host country and this may pose a challenge for organisations who span international boundaries. Theoretically there are a number of ethical and competency issues that penetration testers face in conducting an assessment, from testing systems or protocols not explicitly included or excluded from a test, to significant omissions that could possibly be disastrous to an organisation. The penetration tester is contractually and ethically bound to abide by the customers requirements, but should ensure the penetration tests is conducted correctly and does not lead to a false or misleading sense of security. Although Code of Conduct and Best Practice is laid out by numerous professional bodies, in actual practice the individual is often required to take an informed decision given a particular situation. Therefore the individual should possess the necessary procedural, ethical and technical training. Metasploit : The MetasploitProject is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open source. Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project is well known for its antiforensic and evasion tools, some of which are built into the Metasploit Framework

3 V. METHODOLOGY During Information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit. Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible. There are two types of information gathering: passive and active. 1) Passive Information Gathering Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software in use on the target without touching their system. 2) Active Information Gathering In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation. But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS). Importing Nmap Results into Metasploit When you are working with other team members, with various individuals scanning at different times and from different locations, it helps to know how to import a basic nmap generated XML export file into the Framework. First, we scan the Windows virtual machine using the -ox option to generate a Target.xml file. #nmap -Pn -ss -A -ox Target /24

4 Running Nmap from MSFconsole We ve performed advanced enumeration on our target, now let s connect Nmap with Metasploit. First, we should be able to enter the db_nmap command from within msfconsole to run Nmap and have its results automatically stored in our new database. #msf > db_nmap -ss -A After generating the XML file, we use the db_import command to import it into our database. We can then verify that the import worked by using the hosts command, which lists the systems entries that have been created, as shown here: msf > db_import Subnet1.xml msf> hosts

5 DATA BREACH INVESTIGATION REPORT Metasploit has several port scanners built into its auxiliary modules that directly integrate with most aspects of the Framework. We ll use these port scanners to leverage compromised systems to access and attack. To see the list of port scanning tools that the Framework offers, enter the following. #msf > search portscan VI. CONDUCTING PETEST ON WEBSITE

6 Reports After Scanning: Registration Detials Domains Hosted On Same Web Server

7 Information Gathering Tech City:pune Domain Name:IMCOST.ORG Tech State/Province:MA Domain ID: D LROR Tech Postal Code: Creation Date: T09:34:32Z Tech Country:IN Updated Date: T12:21:06Z Tech Phone: Registry Expiry Date: T09:34:32Z Tech Fax: Sponsoring Registrar:Net 4 India Limited (R1434LROR) Name Server:NS1.SOFTLAYER.COM Name Server:NS2.SOFTLAYER.COM Sponsoring Registrar IANA ID: 1007 DNSSEC:Unsigned WHOIS Server: Referral URL: Domain Status: ok -- Registrant ID: Registrant Name:Boost infoech Registrant Organization: VII. PROPOSED SOLUTION Registrant Street: mohan nagar, chinchwad Registrant City:pune "Manual Pentesting" Registrant State/Province:MA A Penetration tester's job is to demonstrate and document a flaw in security.in a normal situation, a pen tester will perform reconnaissance to find some vulnerabilities, exploit those vulnerabilities to gain access, then possibly extract some small piece of data of value to prove that the system is not secure.note that this doesn't say which vulnerability the tester will exploit, and the tester might be free to try anything from a social engineering attack to a WiFi sniffer to a physical break-in. However, pen testers generally must work within limits or boundaries. Often this is at the request of the clients: "Please demonstrate that you can or can't get inside our network, but we don't want you to send any phishing s to our employees." And the security company may have a policy of never installing certain types of malware. (There's little reason for a pen-tester to install a botnet client or to hide his tracks behind a rootkit, for example, unless he's demonstrating the need to scan for botnets and rootkits.)some clients will place many limits on the tests, such as "just test the security of my application server." These clients may be under the impression that a hacker will be thwarted by the magical firewalls they bought that will protect the app server from every conceivable form of external attack. Or it could be that they have a different team focused on firewall defenses, and a third team working on social engineering awareness campaigns. The client may also ask that the pen tester not exfiltrate the valuable data - knowledge of the holes themselves is enough for them.either way, the pen tester must carefully stay within the limits given, even when the tester can identify a more effective avenue of exploitation. The pen tester is usually only reluctantly given a position of trust, because they're often viewed as "criminal hackers". By carefully documenting and Registrant Postal Code: Registrant Country:IN Registrant Phone: Admin ID: Admin Name:sandeep p pachpande Admin Organization: Admin Street: mohan nagar, chinchwad Admin City:pune Admin State/Province:MA Admin Postal Code: Admin Country:IN Admin Phone: Admin Phone Ext: Admin Fax: Tech ID: Tech Name:sandeep p pachpande Tech Street: mohan nagar, chinchwad

8 exposing every flaw they exploited, they gain trust through professionalism. If a tester sees a flaw he is not authorized to explore, he should point it out, but not explore it unless he first obtains permission.also note the goal of the pen tester is not to "install malicious software". The goal is to demonstrate the adequacy of the security guarding information of value (credit cards, trade secrets, marketing plans, server administration, etc.) Malware is just one technique used by hackers.for starters, I would recommend you read, practice, and learn what you can at home and on line. Check out the Certified Ethical Hacker books and training available. Try to attend local, regional, or national security conferences and events. You may have local "white-hat" groups like OWASP that have meetings you can attend and people you can meet. You may also have a more "gray-hat" DEFCON chapter nearby, again, these would be people you could learn from.it's worth noting that quite often, a client will impose limits on a pen-tester's scope of practice. They may hire someone to test their network, their physical security, or even just their reception staff's reaction to suspicious characters; so quite often the difference between two jobs is what the client wants doing. VIII. CONCLUSION In today s Electronic Era, where anything and everything remains connected and partially exposed. Cyber attacks and Cyber crimes are rapidly evolving and creating massive threat to Industry and Government across the globe. These attacks have caused losses worldwide amounting to billions of dollars. Though protection systems are developed, cyber criminals are finding new techniques to bypass them. Also these emerging threats are complex and stealthy. So, there is a need to carry out continuous research efforts &development solutions to protect from evolving cyber threats. VAPT proves to be an efficient, cost effective and assured assessment tool to periodically analyze the status of current security arrangements and help Organizations to install the required security patches in order to remain protected of the Outsider and Insider threats forever. VAPT being Proactive in nature enables an organization to know about the possible set of threats and attacks even before their actual occurrence. Hence the organizations can take required actions to safeguard their Data resources and component systems much before the attacker actually plans to deploy an attack. IX. ACKNOWLEDGEMENT The Research Work was supported by OWASP members and KeralaCyberSquad Researchers & KeralaCyberArmy Researchers and Web Application Security Researchers. Comprehensive support from FireBleed Team, Hostmate.co,. X. REFERENCES [1] James. S. Tiller, CISO's guide to penetration testing, Taylor and Francis Group,CRC Press Publication, [2] P. Xiong and L. Peyton, A Model driven Penetration test framework for Web Applications, IEEE8th Annual International Conference on Privacy, Security & Trust, Aug 17-19, 2010, Ottawa, ON, Canada. [3] B. Liu, L. Shi and Z. Cai, Software Vulnerability Discovery Techniques: A Survey, IEEE 4th International Conference on Multimedia Information Networking and Security, Nov 2-4, 2012 Nanjing, China [4] B. Duan, Y. Zhang and D. Gu, An easy to deploy Penetration testing platform, IEEE 9th International Conference for young Computer Scientists, Nov 18-21, 2008, Hunan, China. [5] Dr. D. Geer and J. Harthorne, Penetration testing: A Duet, IEEE Proceedings of 18th Annual Computer Security Application Conference, ACSAC 02, 2002, Washington, DC, USA [6] S. Sparks, S. Embleton, R. Cunningham and C. Zou, Automated vulnerability analysis: Leveraging control flow for evolutionary, IEEE 23rd Annual Computer Security Applications Conference, Dec 10-14, 2007, Miami, Florida. [7] S. Turpe, J. Eichler, Testing production systems safely: common precautions in Penetration testing, IEEE Academics and Industrial Conference, Sep 4-6, 2009, Windsor [8]EC-Council, (2010). Certified Ethical Hacking Training Course. URL: acker.aspx AUTHORS PROFILE Sherin S Panikar, Master of Computer Application student from Instute of Management & Computer Studies, Thane. From University of Mumbai. Certified Ethical Hacker v8 and Certified Security Expert from EC Council. With 6 years of experience in Information Security & Cyber Security Domain. Well Versed with curcumventing Network Pentesting, Web Application Pentesting and Malware Analysis. Blog: