Penetration Testing and Vulnerability Management

Links in a Chain

The Critical Start penetration testing methodology is designed for assessing high-risk targets such as Internet facing infrastructure and business critical systems. These activities simulate those of a motivated individual or organization focused on obtaining unauthorized access to proprietary intellectual property and/or confidential customer data. Clients typically conduct a vulnerability assessment in conjunction with penetration testing. Critical Start works to minimize the time required to address high risk application and operating system security vulnerabilities. We work directly with company management and IT teams to provide a prioritized and detailed plan for addressing identified security flaws in the context of our security efficient framework (effectiveness of control, impact to user/business, initial cost, ongoing cost).

Assessment Phase	Components	Tasks
External Testing	Network	Perform Information gathering, penetration testing and vulnerability scanning on devices visible from the Internet.
	Wireless	Perform wireless scanning on and penetration testing against authorized and unauthorized wireless devices.
	Web Application	Review web applications for vulnerabilities.
Internal Testing	Network	Perform Information gathering and penetration testing on devices visible from within the network.
	Vulnerability Scanning	Vulnerability scanning of hosts within the network.
	Social Engineering	Perform phishing attempts against selected internal employees over a period of 4 attempts to have the employee visit a website and then to provide security awareness training.

Example Tasks for a Penetration and Vulnerability Assessment

External Vulnerability Assessment

The purpose of the external vulnerability assessment is to discover all systems on your perimeter network that are exposed to the Internet and to assess these systems for security vulnerabilities. Critical Start performs host discovery and vulnerability identification using automated and manual processes that include commercial, open source, and internally developed tools. Testing is performed via the Internet, from an external perspective, and is limited to only approved IP addresses or ranges.

Critical Start’s External Vulnerability Assessment consists of the following activities:

Host discovery to identify live hosts on in-scope IP address ranges
Network based vulnerability scanning of Internet accessible systems to assess systems, network devices, and applications for vulnerabilities and security weaknesses.
Review of automated scan results with manual testing to reduce false positive results.
Manual testing to identify vulnerabilities and security weaknesses that cannot be discovered through automated testing.
Analysis of findings to determine and document information regarding risk severity level, systems impacted, and business risk summary for each finding.
Determination and documentation of practical recommendations for remediation and remediation effort level for each finding.

Internal Vulnerability Assessment

The purpose of the Internal Vulnerability Assessment is to discover vulnerabilities and security weakness on the internal network that not only highlight individual vulnerabilities across platforms but also identify the effectiveness of vulnerability and patch management program(s) and information security practices. Vulnerability testing and configuration reviews are performed against an appropriately sized sample of systems and network devices representative of the environment to understand if platforms and devices are hardened against industry standard security configurations.

Critical Start’s Internal Vulnerability Assessment will consist of the following activities:

Network device configuration reviews performed through the collection and analysis of data from a sampling of network devices, such as firewalls, routers, switches, and wireless access points.

System configuration reviews performed through the collection and analysis of data from a sampling of servers and workstations.

Network based vulnerability scanning of a sample of internal systems to assess systems, network devices, and applications for vulnerabilities and security weaknesses.

Review of automated scan results with manual testing to reduce false positive results.

Analysis of findings to determine and document information regarding risk severity level, systems impacted, and business risk summary for each finding.

Determine and document practical recommendations for remediation and remediation effort level for each finding.

Quality assurance review of draft report.
Meeting to review draft report and discuss findings and recommendations.

Penetration Testing Services (External and Internal)

The purpose of Penetration Testing is to validate the effectiveness of existing security controls and to evaluate the organization’s security awareness, intrusion detection, and incident response capabilities during the testing. This is an exercise designed to demonstrate what a skilled and dedicated attacker might reasonably accomplish during the testing period. Is it possible to compromise or circumvent security controls and gain access to key business targets? Moreover, would the organization detect the attacks or intrusion and respond appropriately?

Critical Start conducts testing to identify and exploit vulnerabilities with the objective of acquiring key logical targets. These targets consist of various types of data (i.e. personally identifiable information and non-public information such as customer information, credit card information, social security numbers, confidential employee information, etc.) and types of system access (Windows domain administrator privileges, root access to UNIX/Linux systems, administrative access to network devices, etc.). Testing follows a path of least resistance approach, such that exploitation is only performed on the vulnerabilities necessary to access the systems, escalate privileges, and expose confidential data in the pursuit of the defined project targets. Thus the objective is not to identify all vulnerabilities but rather to determine if it is possible to compromise existing security controls and acquire key business targets via a time-boxed methodology.

This assessment is intended to simulate real-world attack scenarios and demonstrate the impact of security weaknesses in human, procedural, and technical defenses that constitute the overall security of both the perimeter and internal environment. It may be possible to combine the information or access provided by several non-critical vulnerabilities to gain unauthorized access to critical data or systems. Thus penetration testing can often reveal business risks that are not evident through vulnerability assessment reports. Further, by clearly demonstrating how vulnerabilities can be exploited to lead to unauthorized access of critical business systems and confidential data, the penetration testing report can often provide the management team with greater insight into the business risks related to information security controls.

Critical Start’s Penetration Testing consists of the following activities:

External Penetration Testing

Reconnaissance of publicly available information to identify IP address ranges, email addresses, and phone numbers potentially associated with the company.
Meeting to review discovered public information and define approved list of external IP addresses, email addresses, and phone numbers to be included in the scope of testing.
Manual attempts to identify and exploit security vulnerabilities on in-scope external systems in order to obtain access to defined targets. Identify and attempt access to internal systems and privilege escalation in pursuit of defined targets.
Social engineering via emails and phone calls to in-scope employees with the purpose of soliciting confidential information and eliciting assistance in gaining access to the internal network and defined targets.
Internal Penetration Testing

Offsite meeting near one of the physical targets (i.e. coffee shop near the office) so the client point of contact and the Critical Start consultant(s) can meet in person prior to testing.
Physical intrusion attempts into one or more target locations. This may include social engineering if required.
Attempts to gain access to any additional defined physical targets (data center, HR records, payroll files, etc.).
Attempts to gain access to the internal network via a physical network jack or existing computer connection.
Attempts to gain access to the internal network via wireless network connections.
Manual attempts to identify and exploit security vulnerabilities on internal systems in order to obtain access to defined targets.
Analysis of findings to determine and document information regarding risk severity level, systems impacted, and business risk summary for each finding.

Social Engineering

We also incorporate social engineering testing in our attempt to acquire targets within the scope of testing. Through phishing emails and phone calls to approved email addresses and phone numbers, we attempt to solicit information and assistance from employees to gain unauthorized access to the network and the defined project targets. This not only allows us to review the effectiveness of the security awareness program, but also to demonstrate the potential results of weaknesses in employee security awareness and training.

A campaign to identify users who click on suspicious links will be conducted to evaluate the likelihood for malware in the environment. This campaign will run in four phases to identify the improvements and knowledge of the user’s ability to detect a potential phishing attack.

Critical Start’s Social Engineering Assessment will consist of the following activities:

Calls to 10 call center employees to identify if company information or passwords are given.
Phishing campaign to 20 employees across four scenarios.
Security Awareness training for the 20 employees who a part of the Phishing campaign.
Detailed reporting for response trends.

Listen | Align | Execute