Popular in Course
verified elite notetaker
Popular in Business
This 10 page Document was uploaded by an elite notetaker on Sunday December 20, 2015. The Document belongs to a course at a university taught by a professor in Fall. Since its upload, it has received 6 views.
Reviews for Auditing-Methodlogy
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 12/20/15
VAPT Methodology N e t w o r k S e c u r i t y S o l u t i o n s ( I ) L t d 4 , K u m a r P a v i l i o n 2 4 2 4 G e n e r a l T h i m m a y a R o a d E a s t S t r e e t , P u n e - 4 1 1 0 0 1 Methodology Methodology adopted for VAPT I. V ULNERABILITY ASSESSMENT AND P ENETRATION T ESTING Vulnerability Assessment A vulnerability test is a broad snapshot of the technical vulnerabilities present in a network or system. The goal of the test is to enumerate known vulnerabilities present in the systems being assessed. During the test, NSS will not exploit any vulnerability found, and will only identify and verify their presence. Vulnerability testing service involves introduction of the Manual Verification and Testing phase. During the manual verification phase, false positive vulnerabilities are removed and targets are tested exhaustively using both Open Source security tools and NSS authored tools. While the scans can effectively identify a large portion of the vulnerabilities present, some complex, emerging, or obscure vulnerabilities require manual testing to be identified. The NSS team attempts to discover these with an additional layer of manual tests. For example, a common application running on a non-standard port may exhibit vulnerabilities not discovered by an automated scanner, but can be found later by manual testing. In other cases, manual testing can uncover procedural errors or misconfigured firewall rules that an automated scan could not identify as vulnerability. The diagram below demonstrates the overall approach that is used to perform Internal Vulnerability Testing. Network Security Solutions (I) Ltd Page 2 13 Penetration Testing Our Penetration Test Services have been formulated to achieve three key objectives: 1.Provide a non-invasive means to test the current strength of the external security of the network. 2.Provide independent analysis of your network and locate all vulnerabilities. 3.Advise on the most effective solutions to secure your network. A penetration test is a pre-arranged attack against an organization’s systems, networks or applications with a specified goal in mind. Typically, the goal is to gain unauthorized access to data or resources by circumventing controls that are in place; however, this may vary depending on an organization’s need. The purpose of the test is usually to demonstrate a lack of appropriate security controls or to evaluate the response to, or detection of, the attack. The primary difference between the Penetration Test and the Vulnerability Test lies in the Intelligence Gathering and Manual Exploits phases as shown in the diagram below. The Manual Exploits step is also included to better simulate a real attacker. The result is that NSS can report to the customer whether any vulnerability that were found on their systems were actually exploitable, and whether we were able to gain unauthorized access to their networks and systems. NSS Phased Approach Phase 1: Independent analysis of the Networks’ Perimeter Security This is achieved through ethical penetration testing from outside (remote) of the identified networks. While most serious vulnerabilities come from within (internally) a networked environment, protection against external attacks is an important aspect to overall system security. This step of the process involves performing a scan – from outside of the identified networks – against the entire public IP range. The best way to do this is using what is called Network Security Solutions (I) Ltd Page 3 an “Active Scan”. While NSS takes the greatest care to provide a non-invasive test for the external security of the network, we strongly advise the following when doing Active Scans: · Perform this step during off-hours / non-peak times. · Notify the appropriate IT support personnel from the identified Networks in advance, so they are aware of the work and available should problems develop. · Schedule the scan for a specific date(s) and time so that it does not impact critical business applications. NSS A&P Team, operating from the A&P Lab at NSS Pune and NOIDA, shall undertake the following test as a part of the external penetration testing: · Network Surveying · Port Scanning · System Identification · Services Identification · Vulnerability Research and Verification · Intrusion Detection System Testing · Denial of Service Testing – test plan shall be prepared and conducted in consultation with the First Advantage Services project team. Phase 2: Identify High-Level Security Vulnerabilities NSS Pen Test team will identify all existing services running on the allotted IP addresses/ internal IP ranges to be scanned, determine which ports are open and what level of access is permitted, and list out all vulnerabilities that exist on the network, and are visible to the external world. These vulnerabilities could allow an attacker to potentially steal data from your networks, install malicious code, post unauthorized or malicious content on the servers, or use the network to launch an attack or for other such malafide activity on the Internet/ Intranet. The Vulnerability Assessment would cover the following checks:- Servers TCP Port Scanning Info Gathering Remote Services Check Unwanted Service FTP Vulnerabilities SMTP Vulnerabilities IIS Vulnerabilities SNMP Vulnerabilities OS Vulnerabilities MDAC Vulnerabilities Service Vulnerabilities NetBios Vulnerabilities Terminal Services Vulnerabilities DNS Zone transfer Vulnerabilities Chargen Vulnerabilities Network Security Solutions (I) Ltd Page 4 User Management Service Pack Check Default Port Check File System Access Buffer Overflow Vulnerabilities Auditing and Monitoring Password Policy User Management Policy Management Domain Management User Account Policy File Access Permissions Registry Permissions accounts Guest Access to Event logs Legal Banner LDAP Vulnerabilities Network Network Security Switch Security Switch Monitoring Switch Administration Router Access Control Router Access Control Router Monitoring Control Router Performance Controls Firewall Monitoring Controls Firewall Access Control Traffic Filtering Configuration Management Firewall Management Switch Access Control IOS Vulnerabilities Phase 3 - Fixing High-Level Security Vulnerabilities and Hardening NSS consultants would recommend fixes for the high to low level vulnerabilities. II. A PPLICATION / W EB APPLICATION S ECURITY A UDITS Introduction Application / Web-Application Security Audit is the process of actively evaluating all the components to ensure that they have been developed within the guidelines of security best practices. Application Security Audit is an important step during the process of certifying applications. During this step, the modules are individually tested for a number of weaknesses and properties. The application only passes the review if it exhibits all required properties. Errors in development (known variously as bugs, flaws or vulnerabilities) could allow an attacker to gain access to the confidential information or deny authorized users to access the Application; with potentially catastrophic results. Application Security Audit is of great importance to avoid security holes in the application itself. It improves the reliability, stability and performance of the application. The results of the application testing are delivered in a comprehensive report highlighting the vulnerabilities and mitigating the risk. Application Security Testing There are two types of testing carried out for the complete check of the Application i.e. Functional Test and Internal logic test. Black box testing assesses the functional operating effectiveness and White box testing assesses the effectiveness of software program logic. Network Security Solutions (I) Ltd Page 5 The First level Application Audit would highlight the vulnerabilities in the Application like Cross Site Scripting, vulnerability to SQL Injections, Buffer Overflows, Invalidated Inputs, and insecure storage etc. These would need to be addressed by the Developers, post which the second or third level audits would be undertaken. Removal of flaws and vulnerabilities from the Application depends on the capabilities of the Application Developers, and the subsequent level audits are driven by this necessity. Standards The standard used for Application Testing is OWASP (Open Web Application Security Project). The OWASP Top Twelve represents a broad consensus about what are the most critical web application security flaws. The following table summarizes the OWASP Top Twelve Most Critical Web Application Security Vulnerabilities: OWASP Top Ten most Critical Web Application Security Vulnerabilities A1 InvInputted being used by an application. Attackers can use these flaws to attack backend components through an application. A2 Broken Access Restrictions on what authenticated users are allowed Control to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. A3 Broken Account credentials and session tokens are not Authentication properly protected. Attackers that can compromise and Session passwords, keys or other tokens can defeat Management authentication restrictions and assume other users' identities. A4 Cross Site The application can be used as a mechanism to Scripting (XSS) transport an attack to an end user’s browser. A Flaws successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. A5 Buffer Application components in some languages that Overflows do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and application servecomponents. A6 Injection Flaws Applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the application. A7 Improper Error Error conditions that occur during normal operation are Handling not handled properly. If an attacker can cause errors to occur that the application does not handle, they can gain detailed system information, denyservice, cause security mechanisms tofaor crash the server. A8 Insecure Protecting sensitive data with cryptography has Cryptographic become a key part of most web applications. Simply Storage failing to encrypt sensitive data is very widespread. Applications that do encrypt frequently contain poorly designed cryptography, either using inappropriate ciphers or making serious mistakes Network Security Solutions (I) Ltd Page 6 using strong ciphers. These flaws can lead to disclosure of sensitive data and compliance violations. A9 Denial of Attackers can consume application resources to a Service point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accountsor even cause the entire application to fail. A10 Security Mis- Security Mis-configuration can happen at any level of configuration an application stack, including the platform, web server, application server, framework and custom code. Such Flaws frequently give attacker unauthorized access to some system data or functionality. Occasionally such flaws result in a complete system compromise. A11 Cross Site A CSRF attack forces a logged-on victim's browser to Request send a pre-authenticated request to a vulnerable Forgery (CSRF) web application which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. A12 Malicious File Code vulnerable to remote file inclusion (RFI) allows Execution attackers to include hostile code and data resulting in devastating attacks such as total server compromise. Malicious file execution attacks affect PHP XML and any framework which accepts filenames or files from users Applications frequently redirect users to other A13 Redirects & pages, or use internal forwards in a similar manner. Forwards Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass. Failure to encrypt sensitive communications means A14 Insecure Communnsatio that an attacker who can sniff traffic will be able to access the conversation, including any credentials or sensitive information transmitted. A15 Insufficient Applications frequently do not protect network Transport traffic. Usually they use SSL/TLS during Layer Protection authentication but not elsewhere, exposing all transmitted data as well as Session IDs to interception. Applications sometimes use expired or improperly configured certificates as well. Such Flaws exposes individual user’s data and can lead to account theft. If an Admin account was compromised, the entire site would be exposed. Poor SSL setup can also facilitate phishing attacks Network Security Solutions (I) Ltd Page 7 Process Flow Network Security Solutions (I) Ltd Page 8 Methodology The first step followed by NSS is to analyse the Website for appropriate security measures built in to the Website. This analysis is necessary to create a baseline so that one understands the present state better and can thus appreciate findings and recommendations. The project entails a First Level Audit of the website, post which the client Web site Development Team would correct the vulnerabilities projected in the NSS Audit Report. In case the client desires, the second and subsequent level audits, to affirm if the vulnerabilities have been removed by the client Web Development Team, may be undertaken as a separate project. NSS experience in conducting Web site audits shows that it normally requires two to three level audits prior to a web site being declared “FIT” for hosting. The methodology followed is as follows: · Understand the scope and purpose of the Website. Review the Website structure and specifications so as to understand the basic design of the Website. · For the Website under review, identify, document and understand the "high value objects" that a malicious attacker would seek to steal or exploit (e.g., user IDs, customer data, passwords). · Devise attacks or methods using proprietary NSS© techniques to obtain the desired data objects. · Once Website security is handled, check if a valid/invalid user can use the Website in a manner so as to subvert the underlying security model of the system. · Various attacks are devised on each component and then relevant vulnerabilities are demonstrated. · Decompose the Application. · Build Security Profiles. · Identify Security Decisions. · How and where is input validated? · How is authentication performed? · How is authorization performed? · How are configurations managed? · What happens with sensitive data? · How are sessions managed? · What cryptographic components/algorithms are used? · How does application manipulate parameters (web)? · How are exceptions managed? Network Security Solutions (I) Ltd Page 9 · How is auditing and logging performed? Rationale: Look for misuse patterns in the architecture List of proposed tools for VAPT along with their functionality · Nmap, Angry IP Scanner o Port scanning o Service Enumeration o OS Fingerprinting · Nessus o Vulnerability Scanner · Nikto o Web Application Scanner · Metasploit o Exploitation Framework · Backtrack OS o Multiple Vulnerability Scanners o Multiple Port scanner o Tools for network enumeration o Tools for Exploitation Network Security Solutions (I) Ltd Page 10
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'