A vulnerability assessment is often confused with penetration testing. Further the danger is that a vulnerability assessment during the security testing process is often undertaken by an automated tool. It is of critical importance that an security testing engagement not only uses vulnerability assessment tools but also that each result is verified to ensure that false positives are eliminated.
Vulnerability Assessment: Limitations
All too often 7Safe’s penetration testing team gain sight of security testing reports or vulnerability assessment exercises that are simply a copy and paste from a series of automated tools. Sadly for the client, such results are often full of false positives or even false negatives i.e. where a vulnerability assessment has failed to detect a vulnerability.
A Better Type of Vulnerability Assessment
Our penetration testing team strongly believe in results verification in that each finding from a vulnerability assessment tool is checked for correctness. More importantly, in the report the pen test consultant can express a matter of opinion which greatly helps our client in the remediation activities of such testing. Thus the vulnerability assessment becomes a more valuable document to the decision maker as the penetration testing consultant has taken the time to highlight overall areas of concerns and provides advice and consultancy.
PCI Penetration Testing
The PCI DSS (Payment Card Industry Data Security Standard) for some organisations mandates the need for both regular vulnerability assessment (by means of using an Approved Scanning Vendor aka PCI ASV scan) and penetration testing. However, there is a very significant difference between the two approaches;
Vulnerability Assessment – this is essentially a battery of clever, usually automated tests or security testing tool exercises that look for (generally) known lists of vulnerabilities. However, whilst they do reduce risk by providing excellent coverage they are prone to false positives and do not replace the intuition and creativity of a penetration testing consultant; hence the need for a periodic “pen test / penetration test”
Penetration Testing – this term refers to the use of a penetration testing consultant who will undertake testing using experience, strong intuition, guidance from standards such as OWASP (Open Web Application Security Project – please see www.OWASP.org), a mixture of best-of-breed vulnerability assessment, penetration testing and other security testing tools together with bespoke scripts and other clever applications written in-house of many years. A penetration testing team will also provide very customised guidance in the form of both a technical and business-driven report which makes for a living document against which remediation activities may be driven by the client and PCI QSA consultant during a PCI DSS audit. Please see our PCI testing for further details.
Firewall Security Test
A firewall security test is a detailed analysis of a firewall that has been implemented to protect a client’s information, applications, systems and overall business operations. A firewall security test examines vulnerabilities associated with a specific vendor’s solution, susceptibility of the firewall to focused connection and information driven attacks and exploits, and miss-configurations that allow an attacker to overcome specific firewall protection.
7safe assesses firewall rule-set configurations and implementations from a number of vendors including:
- Juniper / Netscreen
VPNs are clearly an integral part of every organisation for the provision of secure remote / site-to-site connectivity. Secure VPNs use cryptographic tunnelling protocols to provide the intended confidentiality, sender authentication, and message integrity to achieve privacy. 7Safe assesses the security of corporate VPNs against these flaws in conjunction with firewall integration if necessary or focuses on the end appliance (concentrator) where deployed. 7Safe currently assesses the following types of VPNs:
It’s common practice for organisations to have a same build for workstations and to roll out these generic images on to every workstation and to some common servers. These generic builds must be approved from a security testing perspective before being accepted as an official build. Very often, such testing is conducted as part of a wider Information Security Assessment which is a strategic piece of work.
A significant danger with this practice is that standard builds may have generic security flaws which could lead to every workstation or server suffer from the same security flaw. 7safe undertakes security testing and penetration testing on the majority of Operating Systems builds.
7Safe undertakes build reviews and security testing against the following Windows (R) platforms and the associated applications that they may host i.e. SharePoint, Exchange etc.
- Microsoft Windows Server 2008
- Microsoft Windows Server 2003
- Microsoft Windows XP
- Microsoft Windows 7
- Microsoft Windows Vista
7Safe has wide and varied experience with Linux build reviews with particular reference to;
- Red hat Linux
- Suse Linux