IT components, such as operating systems, application software, and networks have many vulnerabilities. These vulnerabilities are open to compromise or exploitation. This provides a possibility of penetrating into systems that result in unauthorized access.
Vulnerability tests are done to identify vulnerabilities and penetration tests are conducted to check the possibility of compromising systems such that the established access control mechanisms may be defeated and the unauthorized access gained.
Otherwise, systems can be shutdown or overloaded with malicious data using techniques such as the denial of service attacks such that access by legitimate users or processes maybe denied.
The primary purpose of vulnerability and penetration tests is to identify, evaluate, and mitigate the risks of vulnerability exploitation.
Vulnerability assessment is a process in which IT systems, such as computers, networks, operating systems, and application software, are scanned for identifying the presence of known and unknown vulnerabilities.
Vulnerabilities in IT systems such as software and networks can be considered to be holes or errors.
Vulnerabilities creep into systems due to improper software design, insecure coding, or both. For example, buffer overflow is a vulnerability where the boundary limits for an entity, such as a variable and constants, are not properly defined or checked. Such a vulnerability can be compromised by supplying data that is much more than the entity can hold. This will result in data spill over other memory areas, which will corrupt the instructions or code that need to be processed by the microprocessor.
Vulnerabilities can be compromised and such an act is called the exploitation of vulnerabilities. When a vulnerability is exploited, it results in a security violation, which will result in a certain impact. A security violation may provide unauthorized access, give higher privileges, or stop some functions, which will result in the denial of service to IT systems.
Tools are used in the process of identifying vulnerabilities. These tools are called vulnerability scanners. A vulnerability scanning tool can be hardware based or a software application.
Generally, vulnerabilities can be classified based on the type of security error. A type is the root cause of such vulnerability.
Vulnerabilities may be classified into the following types:
- Access control vulnerabilities: This is an error due to lack of enforcement pertaining to users or functions that are permitted or denied access to an object or resource:
- Examples:
- Improper or no access control list or table
- No privilege model
- Inadequate file permissions
- Improper or weak encoding
- Security violation and impact:
- File/object/process can be accessed directly without proper authentication or routing
- Examples:
- Authentication vulnerabilities: This is an error due to inadequate identification mechanisms, such that a user or a process is not correctly identified:
- Examples:
- Weak or static passwords
- Improper or weak encoding, weak algorithms, or biometric errors
- Security violation and impact:
- Unauthorized or less privileged users (e.g. Guest user) or a less privileged process gains higher privileges, such as administrative or root access to system or Denial-of-Service from authorized individuals being improperly denied.
- Examples:
- Boundary condition vulnerabilities: This is an error due to inadequate checking/validating mechanisms, so that the length of the data is not checked/validated against the size of the data storage or resource:
- Examples:
- Buffer overflow
- Overwriting the original data in the memory
- Security violation and impact:
- Memory is overwritten with some arbitrary code so as to gain access to programs; or corrupting the memory, which will crash the operating system. An unstable system due to memory corruption may be exploited to get command prompt or shell access by injecting an arbitrary code.
- Examples:
- Configuration weakness vulnerabilities: This is an error due to improper configuration of system parameters or leaving the default configuration settings as it is, which may not be secure:
- Examples:
- Default security policy configuration
- File and print access in Internet connection sharing
- Security violation and impact:
- Most of the default configuration settings of software applications are published and available in the public domain. For example, some applications come with standard default passwords, which, when not changed to a secure one, allow an attacker to compromise the system. Configuration weaknesses are exploited to gain higher privileges resulting in privilege escalation impacts.
- Examples:
- Exception handling vulnerabilities: This is an error due to improper setup or coding, such that the system fails to handle or properly respond to exceptional or unexpected data or conditions:
- Examples:
- Structured Query Language(SQL) Injection
- Security violation and impact:
- By injecting exceptional data, user credentials can be captured by an unauthorized entity
- Examples:
- Input validation vulnerabilities: This is an error due to lack of verification mechanisms to validate the input data or contents:
- Examples:
- Directory traversal
- Malformed URLs
- Security violation and impact:
- Due to poor input validation, access to system-privileged programs may be obtained.
- Examples:
- Randomization vulnerabilities: This is an error due to a mismatch in random data used in the software process. Such vulnerabilities are predominantly related to encryption algorithms:
- Examples:
- Weak encryption key
- Insufficient random data
- Security violation and impact:
- Cryptographic key can be compromised, which will impact data and access security
- Examples:
- Resource vulnerabilities: This is an error due to a lack of resources available for correct operations or processes:
- Examples:
- Memory getting full
- CPU is completely utilized
- Security violation and impact:
- Due to lack of resources, the system may become unstable or hang. The impact could be Denial-of-Services to legitimate users.
- Examples:
- State Error: This is an error due to the lack of state maintenance because of an incorrect process flow:
- Examples:
- Opening multiple tabs in web browsers
- Security violation and impact:
- There are specific security attacks, such as cross-site-scripting, which will result in user-authenticated sessions being hijacked.
- Examples:
Information security professionals need to be aware of the processes involved in identifying system vulnerabilities and they need to devise suitable counter measures. Some such measures are applying patches supplied by application vendors and hardening systems.
While vulnerability assessment and remediation is used to strengthen the computer system, it is also important to perform suitable penetration tests periodically to identify the possibilities of system compromise. The primary purpose of penetration tests is to identify the exploitation possibilities of an identified vulnerability.
The following diagram illustrates the process of Vulnerability Assessment and Penetration Testing (VAPT):
Vulnerability assessment and penetration testing contains the following processes:
- Scope: While performing assessment and testing, the scope of the assignment needs to be clearly defined. The following are the three possible scopes that exist:
- Testing from an external network with no prior knowledge of the internal networks and systems is referred to as black box testing.
- Performing the test from within the network is refereed to as internal testing or white box testing.
- Testing from an external and or internal network with the knowledge of internal networks and systems is referred to as gray box testing. This is usually a combination of black box testing and white box testing.
- Information gathering: The process of information gathering is obtaining as much information as the possible about the IT environment, such as networks, IP addresses, the operating system version, and so on. This is applicable to all three types of scope discussed previously.
- Vulnerability detection: In this process, tools such as vulnerability scanners are used and vulnerabilities are identified in the IT environment by way of scanning.
- Information analysis and planning: This process is used to analyze the identified vulnerabilities combined with the information gathered about the IT environment to devise a plan for penetrating the network and systems.
- Penetration testing: In this process, target systems are attacked and penetrated using the plan devised in the earlier process.
- Privilege escalation: After successful penetration into the system, this process is used to identify and escalate access to gain higher privileges such as root access or administrative access to the system.
- Result analysis: This process is used to perform a root cause analysis as a result of successful compromise of the system, leading to penetration and devising suitable recommendations, to make the system secure by plugging holes in the systems.
- Reporting: All the findings that are observed during the vulnerability assessment and penetration testing processes need to be documented, along with recommendations, to produce a testing report for the management for suitable actions.
- Cleanup: Vulnerability assessment and penetration testing involves compromising the system, and during the process, some files may be altered. The cleanup process is applied to ensure that the system is brought back to the original state before the testing, by cleaning up (restoring) the data and files used in the target machines.
Many security groups, vendors and other organizations that are involved in vulnerability research identify vulnerabilities in systems almost daily. There are lots of variations in terms of these reported vulnerabilities by different vendors. Sometimes, it is difficult to identify whether a reported vulnerability by different vendors is the same or different.
To address this anomaly, many the security vendors, software vendors, and other similar business groups formed a worldwide effort and the outcome of this group is an online dictionary of vulnerabilities and exposures. This online dictionary is called Common Vulnerabilities and Exposures (CVE) and is sponsored by the Department of Homeland Security (DHS) of the USA.
CVE being an online dictionary of vulnerabilities, there is an effort by National Institute of Standards and Technology (NIST), USA, as part of their Information Security Automation Program (ISAP), provides a criticality rating or scoring for CVE listed vulnerabilities. This scoring is called the Critical Vulnerability Scoring System (CVSS) and it is contained in an online database called the National Vulnerability Database (NVD).