STRENGTHENING INFOMATION SECURITY WITH VAPT



Similar documents
Information Security Services

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

PENETRATION TESTING AND VULNERABILITY ASSESSMENTS: A PROFESSIONAL APPROACH

Effective Software Security Management

Metasploit The Elixir of Network Security

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

How To Test For Security On A Network Without Being Hacked

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Penetration Testing Workshop

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Continuous Network Monitoring

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

PENETRATION TESTING GUIDE. 1

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

SANS Top 20 Critical Controls for Effective Cyber Defense

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

A Study on the Security aspects of Network System Using Penetration Testing

Impact of Data Breaches

Computer Security Literacy

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Fighting Advanced Threats

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Build Your Own Security Lab

Application Security in the Software Development Lifecycle

KEY STEPS FOLLOWING A DATA BREACH

CRYPTUS DIPLOMA IN IT SECURITY

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

What is Penetration Testing?

FORBIDDEN - Ethical Hacking Workshop Duration

NAS103: Essentials of Network

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Network Security Audit. Vulnerability Assessment (VA)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Penetration Testing in Romania

Learn Ethical Hacking, Become a Pentester

Defending Against Data Beaches: Internal Controls for Cybersecurity

Penetration Testing Report Client: Business Solutions June 15 th 2015

Team Members: Jared Romano, Rachael Dinger, Chris Jones, Miles Kelly Supervising Professor: Dr. George Collins Industry Advisor: Dr.

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Hackers: Detection and Prevention

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

AUTOMATED PENETRATION TESTING PRODUCTS

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

Concierge SIEM Reporting Overview

PCI Compliance for Healthcare

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Quick Start Guide to Ethical Hacking

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Penetration Testing Services. Demonstrate Real-World Risk

Certified Cyber Security Expert V Web Application Development

Information Security Organizations trends are becoming increasingly reliant upon information technology in

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

24/7 Visibility into Advanced Malware on Networks and Endpoints

Course Title: Penetration Testing: Network & Perimeter Testing

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Loophole+ with Ethical Hacking and Penetration Testing

Cybersecurity: Protecting Your Business. March 11, 2015

Overview TECHIS Carry out security testing activities

Cisco Security Optimization Service

Incident Response. Six Best Practices for Managing Cyber Breaches.

Course Title: Course Description: Course Key Objective: Fee & Duration:

SPEAR-PHISHING ATTACKS

Technical Testing. Network Testing DATA SHEET

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Defending Against Cyber Attacks with SessionLevel Network Security

White Paper. Information Security -- Network Assessment

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

IDS and Penetration Testing Lab ISA 674

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Summer Training Program CCSE V3.0 Certified Cyber Security Expert Version 3.0

THE TOP 4 CONTROLS.

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Automated Protection on UCS with Trend Micro Deep Security

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Transcription:

STRENGTHENING INFOMATION SECURITY WITH VAPT Sherin S Panikar Institute of Management and Computer Studies Thane (West), India. University of Mumbai sherin.real1@gmail.com Abstract Vulnerability Assessment and Penetration Testing (VAPT) provides enterprises with a more comprehensive application evaluation than any single test alone. Using the Vulnerability Assessment and Penetration Testing (VAPT) approach gives an organization a more detailed view of the threats facing its applications, enabling the business to better protect its systems and data from malicious attacks. Vulnerabilities can be found in applications from third-party vendors and internally made software, but most of these flaws are easily fixed once found. Using a VAPT provider enables IT security teams to focus on mitigating critical vulnerabilities while the VAPT provider continues to discover and classify vulnerabilities. However, it has also brought new levels of security concerns and Cyber threats. It exposes valuable corporate information, mission critical business applications and consumers private information to more risk than before. But security of IT infrastructure is something that Organizations cant afford to compromise. Vulnerability Assessment and Penetration Testing (VAPT) helps to assess the effectiveness or ineffectiveness of the security infrastructure installed by the Organizations to remain protected from the emerging Cyber threats. Hence it enables the Organizations to install patches and adopt required security measures to safeguard themselves from possible cyber attacks. This paper describes in brief the methodologies and techniques involved in VAPT, Along with its benefits and precautions. The paper aims at creating high level of Cyber Security awareness and importance at all levels of an Organization, enabling them to adopt required up-todate security measures and remain protected from various Cyber Attacks. Keywords Information Security, Cyber Security, InfoSec, CyberSec, VAPT,Metasploit Penetration Testing, Vulnerability Assessment, Hacking, Ethical Hacking, Metasploit Framework. Computer Hacking and Forensics, I. INTRODUCTION Commonly deployed security measures include firewalls, intrusion detection systems and anti-virus software, but security-conscious organisations go one step further by trying to understand the possible weaknesses of their deployed network, rather than just a paper-based analysis of the documented system. This can be achieved by employing a highly skilled security specialist to attempt to break-in to the network and related systems to determine what vulnerabilities are present. This service would typically include recommendations for mitigating the vulnerabilities and/or re-configuration to block these potential holes in the network. These security specialists are referred to as penetration testers or pen-testers. A penetration test can therefore be defined as the process of systematically and actively testing a deployed network to determine what vulnerabilities may be present and to create a report with recommendations to mitigate or resolve these vulnerabilities. While, Penetration Testing, aims at assessing the difficulty level for someone (basically an attacker/hacker) to penetrate an Organization's Cyber security controls against unauthorized access to its information and information systems. VAPT is done by simulating an unauthorized user (attacker) attacking the system using either Automated Tools or Manual Excellence or a combination of both. Hence the process of VAPT is sometimes also referred as Ethical Hacking. VAPT helps in identifying Cyber threats & vulnerabilities under controlled circumstances, so that they can be eliminated before actual hackers/attackers aim to exploit it.

II. AN OVERVIEW OF VA&PT The complete process of VAPT is conducted in two major parts. The first part deals with the Analysis and Discovery of existing Vulnerabilities, which may leads to various Cyber threat. The second part deals with the Exploitation of the detected set of Vulnerabilities, to judge their Severity and Impact over the Target system. A. Vulnerability Assessment Vulnerability is a software or hardware bug, or misconfiguration that a malicious individual can exploit. The existence of vulnerability in a system imposes a Threat. These vulnerabilities are ranked on the basis of their Severity and Impact. Communities like OWASP and SANS provide the standard list of most common and serious security vulnerabilities. The OWASP Top 10 list emphasizes on Web Application Security, and represents a broad consensus about what the most critical web application security flaws are. Similarly the CWE/SANS Top 25 Vulnerability list, maintained by security experts from SANS and MITRE, aims at listing the top 25 vulnerabilities in all kind of applications. Both of these lists help in assessing the severity of the vulnerabilities found. B. Vulnerability Assessment Strategies. III. COMPARISION: Penetration Testing & Vulnerability Assessment A vulnerability assessment usually includes a mapping of the network and systems connected to it, an identification of the services and versions of services running and the creation of catalogue of the vulnerable systems. A vulnerability assessment normally forms the first part of a penetration test. The additional step in a penetration test is the exploitation of any detected vulnerabilities, to confirm their existence, and to determine the damage that might result due to the vulnerability being exploited and the resulting impact on the organisation. In comparison to a penetration test a vulnerability assessment is not so intrusive and does not always require the same technical capabilities. Unfortunately it may be impossible to conduct such a thorough assessment that would guarantee that the most damaging vulnerabilities (i.e., high risk) have been identified. The difference between a penetration test and a vulnerability assessment is becoming a significant issue in the penetration testing profession. There are many penetration testers that are only capable of performing vulnerability assessments and yet present themselves as penetration testers. If a company is unfamiliar with the process they may think a networked system has been fully assessed, when this is not the case. IV. VAPT REQUIREMENTS There are a number of organisational issues that need to be addressed before a network penetration test or security review. These requirements can include legal and contractual issues specifying liability etc. This may also include the technical requirements involved in the penetration test: The range of IP addresses over which the test is to be conducted, time constraints, the source IP address and the systems that are to be targeted (and also those that are not to be targeted) as part of the test. There may also be a requirement to inform specific individuals that the test is taking place, for example in relation to health and safety issues where the target is a safety critical system. These requirements can vary across the globe, depending on legal structures in the host country and this may pose a challenge for organisations who span international boundaries. Theoretically there are a number of ethical and competency issues that penetration testers face in conducting an assessment, from testing systems or protocols not explicitly included or excluded from a test, to significant omissions that could possibly be disastrous to an organisation. The penetration tester is contractually and ethically bound to abide by the customers requirements, but should ensure the penetration tests is conducted correctly and does not lead to a false or misleading sense of security. Although Code of Conduct and Best Practice is laid out by numerous professional bodies, in actual practice the individual is often required to take an informed decision given a particular situation. Therefore the individual should possess the necessary procedural, ethical and technical training. Metasploit : The MetasploitProject is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open source. Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. The Metasploit Project is well known for its antiforensic and evasion tools, some of which are built into the Metasploit Framework

V. METHODOLOGY During Information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit. Information gathering requires careful planning, research, and most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible. There are two types of information gathering: passive and active. 1) Passive Information Gathering Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software in use on the target without touching their system. 2) Active Information Gathering In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation. But beware If you get careless while active information gathering, you might be nabbed by an IDS or intrusion prevention system (IPS). Importing Nmap Results into Metasploit When you are working with other team members, with various individuals scanning at different times and from different locations, it helps to know how to import a basic nmap generated XML export file into the Framework. First, we scan the Windows virtual machine using the -ox option to generate a Target.xml file. #nmap -Pn -ss -A -ox Target 192.168.20.0/24

Running Nmap from MSFconsole We ve performed advanced enumeration on our target, now let s connect Nmap with Metasploit. First, we should be able to enter the db_nmap command from within msfconsole to run Nmap and have its results automatically stored in our new database. #msf > db_nmap -ss -A 172.16.32.131 After generating the XML file, we use the db_import command to import it into our database. We can then verify that the import worked by using the hosts command, which lists the systems entries that have been created, as shown here: msf > db_import Subnet1.xml msf> hosts

DATA BREACH INVESTIGATION REPORT Metasploit has several port scanners built into its auxiliary modules that directly integrate with most aspects of the Framework. We ll use these port scanners to leverage compromised systems to access and attack. To see the list of port scanning tools that the Framework offers, enter the following. #msf > search portscan VI. CONDUCTING PETEST ON WEBSITE

Reports After Scanning: www.imcost.org Registration Detials Domains Hosted On Same Web Server

Information Gathering Tech City:pune Domain Name:IMCOST.ORG Tech State/Province:MA Domain ID: D91080579-LROR Tech Postal Code:411019 Creation Date: 2002-10-10T09:34:32Z Tech Country:IN Updated Date: 2012-05-04T12:21:06Z Tech Phone:+91.0207464400 Registry Expiry Date: 2019-10-10T09:34:32Z Tech Fax: +91.0207471753 Sponsoring Registrar:Net 4 India Limited (R1434LROR) Name Server:NS1.SOFTLAYER.COM Name Server:NS2.SOFTLAYER.COM Sponsoring Registrar IANA ID: 1007 DNSSEC:Unsigned WHOIS Server: Referral URL: Domain Status: ok -- http://www.icann.org/epp#ok Registrant ID:10686475097360 Registrant Name:Boost infoech Registrant Organization: VII. PROPOSED SOLUTION Registrant Street: mohan nagar, chinchwad Registrant City:pune "Manual Pentesting" Registrant State/Province:MA A Penetration tester's job is to demonstrate and document a flaw in security.in a normal situation, a pen tester will perform reconnaissance to find some vulnerabilities, exploit those vulnerabilities to gain access, then possibly extract some small piece of data of value to prove that the system is not secure.note that this doesn't say which vulnerability the tester will exploit, and the tester might be free to try anything from a social engineering attack to a WiFi sniffer to a physical break-in. However, pen testers generally must work within limits or boundaries. Often this is at the request of the clients: "Please demonstrate that you can or can't get inside our network, but we don't want you to send any phishing emails to our employees." And the security company may have a policy of never installing certain types of malware. (There's little reason for a pen-tester to install a botnet client or to hide his tracks behind a rootkit, for example, unless he's demonstrating the need to scan for botnets and rootkits.)some clients will place many limits on the tests, such as "just test the security of my application server." These clients may be under the impression that a hacker will be thwarted by the magical firewalls they bought that will protect the app server from every conceivable form of external attack. Or it could be that they have a different team focused on firewall defenses, and a third team working on social engineering awareness campaigns. The client may also ask that the pen tester not exfiltrate the valuable data - knowledge of the holes themselves is enough for them.either way, the pen tester must carefully stay within the limits given, even when the tester can identify a more effective avenue of exploitation. The pen tester is usually only reluctantly given a position of trust, because they're often viewed as "criminal hackers". By carefully documenting and Registrant Postal Code:411019 Registrant Country:IN Registrant Phone:+99.999999999999 Admin ID:10686475101040 Admin Name:sandeep p pachpande Admin Organization: Admin Street: mohan nagar, chinchwad Admin City:pune Admin State/Province:MA Admin Postal Code:411019 Admin Country:IN Admin Phone:+91.0207464400 Admin Phone Ext: Admin Fax: +91.0207471753 Tech ID:10686475110780 Tech Name:sandeep p pachpande Tech Street: mohan nagar, chinchwad

exposing every flaw they exploited, they gain trust through professionalism. If a tester sees a flaw he is not authorized to explore, he should point it out, but not explore it unless he first obtains permission.also note the goal of the pen tester is not to "install malicious software". The goal is to demonstrate the adequacy of the security guarding information of value (credit cards, trade secrets, marketing plans, server administration, etc.) Malware is just one technique used by hackers.for starters, I would recommend you read, practice, and learn what you can at home and on line. Check out the Certified Ethical Hacker books and training available. Try to attend local, regional, or national security conferences and events. You may have local "white-hat" groups like OWASP that have meetings you can attend and people you can meet. You may also have a more "gray-hat" DEFCON chapter nearby, again, these would be people you could learn from.it's worth noting that quite often, a client will impose limits on a pen-tester's scope of practice. They may hire someone to test their network, their physical security, or even just their reception staff's reaction to suspicious characters; so quite often the difference between two jobs is what the client wants doing. VIII. CONCLUSION In today s Electronic Era, where anything and everything remains connected and partially exposed. Cyber attacks and Cyber crimes are rapidly evolving and creating massive threat to Industry and Government across the globe. These attacks have caused losses worldwide amounting to billions of dollars. Though protection systems are developed, cyber criminals are finding new techniques to bypass them. Also these emerging threats are complex and stealthy. So, there is a need to carry out continuous research efforts &development solutions to protect from evolving cyber threats. VAPT proves to be an efficient, cost effective and assured assessment tool to periodically analyze the status of current security arrangements and help Organizations to install the required security patches in order to remain protected of the Outsider and Insider threats forever. VAPT being Proactive in nature enables an organization to know about the possible set of threats and attacks even before their actual occurrence. Hence the organizations can take required actions to safeguard their Data resources and component systems much before the attacker actually plans to deploy an attack. IX. ACKNOWLEDGEMENT The Research Work was supported by OWASP members and KeralaCyberSquad Researchers & KeralaCyberArmy Researchers and Web Application Security Researchers. Comprehensive support from FireBleed Team, Hostmate.co,. X. REFERENCES [1] James. S. Tiller, CISO's guide to penetration testing, Taylor and Francis Group,CRC Press Publication, 2012. [2] P. Xiong and L. Peyton, A Model driven Penetration test framework for Web Applications, IEEE8th Annual International Conference on Privacy, Security & Trust, Aug 17-19, 2010, Ottawa, ON, Canada. [3] B. Liu, L. Shi and Z. Cai, Software Vulnerability Discovery Techniques: A Survey, IEEE 4th International Conference on Multimedia Information Networking and Security, Nov 2-4, 2012 Nanjing, China [4] B. Duan, Y. Zhang and D. Gu, An easy to deploy Penetration testing platform, IEEE 9th International Conference for young Computer Scientists, Nov 18-21, 2008, Hunan, China. [5] Dr. D. Geer and J. Harthorne, Penetration testing: A Duet, IEEE Proceedings of 18th Annual Computer Security Application Conference, ACSAC 02, 2002, Washington, DC, USA [6] S. Sparks, S. Embleton, R. Cunningham and C. Zou, Automated vulnerability analysis: Leveraging control flow for evolutionary, IEEE 23rd Annual Computer Security Applications Conference, Dec 10-14, 2007, Miami, Florida. [7] S. Turpe, J. Eichler, Testing production systems safely: common precautions in Penetration testing, IEEE Academics and Industrial Conference, Sep 4-6, 2009, Windsor [8]EC-Council, (2010). Certified Ethical Hacking Training Course. URL: http://www.eccouncil.org/certification/certified_ethical_h acker.aspx AUTHORS PROFILE Sherin S Panikar, Master of Computer Application student from Instute of Management & Computer Studies, Thane. From University of Mumbai. Certified Ethical Hacker v8 and Certified Security Expert from EC Council. With 6 years of experience in Information Security & Cyber Security Domain. Well Versed with curcumventing Network Pentesting, Web Application Pentesting and Malware Analysis. Blog: www.keralacybersquad.blogspot.in

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information