With the activities of Vulnerability Assessment (for brevity V.A.) and Penetration Test (for brevity P.T.) the logical and organizational security measures prepared by the customer are subjected to verification in order to prevent computer crimes and disclosure of sensitive information.
With the activities of Vulnerability Assessment (for brevity V.A.) and Penetration Test (for brevity P.T.) the logical and organizational security measures prepared by the customer are subjected to verification in order to prevent computer crimes and the disclosure of sensitive information. To this end it will be necessary:
  • ♦ identify the IT security vulnerabilities of the corporate network and systems (in particular of systems deemed critical), including web servers;
  • ♦ Verify the correctness and completeness of the behavioral policies and procedures implemented, as well as of the related training, to prevent the security risks associated with carelessness and lack of awareness on the part of users in using the IT system. li>
Particular attention will be paid to making these activities as “transparent” as possible to the users of the information system and with minimal impact on the performance of the corporate IT network. Scans from outside will be carried out preferably at night. For more information contact technical support or open a ticket if you are already a customer.

OBJECTIVES

The Vulnerability Assessment (VA) / Penetration Test (PT) service allows you to verify the robustness of the network through the following activities:
  • ♦ Network sniffing.
  • ♦ IP and Port scanning .
  • ♦ ARP spoofing .
  • ♦ Access to the company network.
  • ♦ Attempt to steal and deduce domain passwords.
  • ♦ Search for possible vulnerabilities on layers 2,3 and 7 of the ISO / OSI stack.
  • ♦ Using any vulnerabilities found to control systems / services.
  • ♦ Analysis, verification and interpretation of the results.

ACRONYMS AND ABBREVIATIONS

VAT = Internal Vulnerability Assessment E.V.A. = External Vulnerability Assessment I.P.T. = Internal Penetration Test E.P.T. = External Penetration Test

METHODOLOGY OF APPROACH

The methodology used aims to measure corporate IT security by means of four steps macros:
  1. 1) Internal Vulnerability Assessment (1st Step).
Starting point for evaluating the IT security of the “internal” network. With this point it will be possible to obtain an index on the security status of the LAN (Local Area Network), this index will then be used to propose counter-measures / methodologies in order to strengthen the security level.
  1. 2) External Vulnerability Assessment (2nd Step).
Vulnerability Assessment conducted externally towards the information systems of the perimeter area. Although this phase can be conducted independently and in isolation from the internal Vulnerability Assessment, it is preferable to perform it after the first in order to be able to compare the results obtained globally and be more targeted in the security observations.
  1. 3) Internal Penetration Test (3rd Step).
A Penetration Test attempts to exploit the vulnerabilities that emerged from previous analyzes to violate the target computer systems. The Internal Penetration Test is a PT performed from within the company network against internal and perimeter systems. The first two become preparatory for this activity.
  1. 4) External Penetration Test (4th Step).
Similar to the previous point with the source of attack located outside the company perimeter. The flow chart in Figure 1 illustrates more clearly the interconnection between the operational steps presented. By means of this representation it is intended to analyze the security of the system and intervene with suitable countermeasures following very specific steps. The execution of the analysis tests depends on the level of safety you want to achieve. The analysis of reports and the application of best practices facilitate the decision-making process on the security tests to be selected. Note: The following solution intended as a union of the points introduced above should be understood as a safety methodology which aims to sequentially conduct the safety assessment process with the aid of a series of tests. The process should not necessarily be understood as atomic (execution of all tests) but, as can be seen from the flow chart below, as a modular analysis process on corporate security.

INTERNAL VULNERABILITY ASSESSMENT (I.V.A.)

The robustness of the IT measures from Inside (trust network), trying to identify which possible known vulnerabilities could be exploited by malicious users to carry out cyber attacks.

It will be a matter of performing “scans” not destructive on systems, with tools that have been designed to detect the status of standard operating systems or applications.

Such tools will be those commonly used by malicious users and available on the Internet; or, upon specific request, tools prepared by well-known security software manufacturers can be used. The use of “open-source” public tools or of a specific company does not lead to a substantial difference in results.

In the analysis of the vulnerabilities and weaknesses of infrastructure as a whole, the critical ones will be highlighted. By “critical” we mean that vulnerability that could cause serious and immediate damage, such as blocking of activities, loss of sensitive data, loss of credibility, image or money. So that immediate steps can be taken to mitigate the problem.

At the end of the activity you will have a series of results that will be summarized in a Vulnerability Assessment Report.

TARGET I.V.A.

By Target we mean the set of elements subject to the Vulnerability Assessment. This set changes based on different structural factors, characteristic of the business reality analyzed, and on the type of V.A. conducted. Based on some considerations, the Target is identified in the LAN (attestation to any segment of the LAN) seen as a weak link in the network infrastructure. Subsequently it will be possible to modify the Target based on further observations and the result of the V.A. The target object of the proposal includes the following devices within the LAN:
  1. ◊ Network device.
  2. ◊ Security device.
  3. ◊ Application server.
  4. ◊ Storage server.

VAT PHASES

The project is divided into the following phases:
  1. 1) Reconnaissance phase.
Acquisition of all information potentially useful for the V.A .. The technical information to be acquired includes:
  • ◊ Network structure ( reverse engineering to derive network topology).
  • ◊ Identification and classification of servers and “critical” network devices from an architectural point of view of security.
  • ◊ Identification of operating systems used ( S. fingerprint ).
  • ◊ Finding public information on the applications used.
  1. 2) Vulnerability Assessment.
Vulnerability detection of target objects. The tiger team will conduct authorized attacks using public or specially developed tools to search for vulnerabilities in the target analyzed in order to obtain access permissions to the systems. The identification of the vulnerabilities present will also be used to identify compromised (or compromise) systems to be used in the subsequent phases as a means ( escalating point ) to carry out further scans or compromises.
  1. 3) Vulnerability classification.
Vulnerability classification of target objects. All identified vulnerabilities will be ranked in order of priority from the most critical to the least critical. This classification will help the decision-making process for securing the IT infrastructure.
  1. 4) Reporting and countermeasures management.
Delivery of documentation on what has been analyzed and suggestions on the adoption of any countermeasures.

VAT REPORT

The report relating to the Internal Vulnerability Assessment includes all the documentation provided to the end of its activity. Figure 2 schematizes the first step, described above, highlighting the reporting phase intended as the output of the VAT activity. The report will contain the following information:
  • ♦ List of vulnerabilities associated with the single server / network device if any.
For each network element analyzed, included in the target, a list of security vulnerabilities and relative description will be provided.
  • ♦ Vulnerability classification.
The identified vulnerabilities will be divided into:
  • ◊ High (Critical): Vulnerabilities that constitute or may constitute a serious risk to the company.
  • ◊ Medium: Medium risk vulnerabilities, exploitable with few attack vectors or with little impact for the company.
  • ◊ Low: Vulnerabilities with little or no impact on business productivity.
List of actions to eliminate or reduce the vulnerabilities affecting the system.
  • ♦ Best practice.
Set of rules and behaviors suggested to maintain a high and acceptable level of safety. These indications may be provided as a list of actions to be performed usually in relation to an activity or as a methodological process in the form of a flow chart.

EXTERNAL VULNERABILITY ASSESSMENT (E.V.A.)

TARGET E.V.A.

Based on some considerations, the Target is identified in the perimeter network devices seen as physical separators between the LAN and the Internet ( trusted network and untrusted network). Subsequently it will be possible to modify the Target based on further observations and the result of the V.A. The target object of the proposal includes the following network devices:
  1. ♦ Security device.
    1. ◊ Firewall
    2. ◊ VPN Terminators.
    3. ◊ Access Points / Radio bridges.
  2. ♦ Application server

STEPS E.V.A.

The project is divided into the following phases:
  1. 1) Reconnaissance phase.
Acquisition of all information potentially useful for the V.A .. The technical information to be acquired includes:
  • ♦ Perimeter network structure ( reverse engineering to derive network topology).
  • ♦ Identification and classification of servers and “critical” network devices from an architectural point of view of security.
  • ♦ Identification of operating systems used ( S. fingerprint ).
  • ♦ Identification of remote access methodology.
  • ♦ Finding public information of the company requesting the security test.
  • ♦ Finding public information on the applications used.
  1. 2) Vulnerability Assessment.
Vulnerability detection of target objects. The tiger team will conduct authorized attacks using public or specially developed tools to search for vulnerabilities in the target analyzed in order to obtain access permissions to the systems. The identification of the vulnerabilities present will also be used to identify compromised (or compromise) systems to be used in the subsequent phases as a means ( escalating point ) to carry out further scans or compromises.
  1. 3) Vulnerability classification.
Vulnerability classification of target objects. All identified vulnerabilities will be ranked in order of priority from the most critical to the least critical. This classification will help the decision-making process for securing the IT infrastructure.
  1. 4) Reporting and countermeasures management.
Delivery of documentation on what has been analyzed and suggestions on the adoption of any countermeasures.

REPORT E.V.A.

The report relating to the External Vulnerability Assessment includes all the documentation provided at the end of the related activity. Figure 3 schematizes the second step, described above, highlighting the reporting phase intended as the output of the activity of E.V.A. The report will contain the following information:
  • ♦ List of vulnerabilities associated with the single server / network device if any.
For each network element analyzed, included in the target, a list of security vulnerabilities and relative description will be provided.
  • ♦ Vulnerability classification.
The identified vulnerabilities will be divided into:
  • ♦ High (Critical): Vulnerabilities that constitute or may constitute a serious risk to the company.
  • ♦ Medium: Medium risk vulnerabilities, exploitable with few attack vectors or with little impact for the company.
  • ♦ Low: Vulnerabilities with little or no impact on business productivity.
List of actions to eliminate or reduce the vulnerabilities affecting the system.
  • ♦ Best practice.
Set of rules and behaviors suggested to maintain a high and acceptable level of safety. These indications may be provided as a list of actions to be performed usually in relation to an activity or as a methodological process in the form of a flow chart.

INTERNAL PENETRATION TEST (I.P.T.)

TARGET I.P.T.

Based on some considerations, the Target is identified in the LAN (attestation to any segment of the LAN) seen as a weak link in the network infrastructure. Subsequently it will be possible to modify the Target based on further observations and the result of the V.A. The target object of the proposal includes the following devices within the LAN:
  1. Network device.
  2. Security device.
  3. Application server.
  4. Storage server.

I.P.T. PHASES

  1. Exploiting server application.
This phase develops on the basis of the information obtained from the I.V.A. Based on the analyzes previously obtained, the tiger team selects / implements the appropriate set of attacks in order to compromise the application servers.
  1. Penetrating Network.
The tiger team uses attack techniques to evade Network Security systems.
  1. Privilege escalation.
The tiger team focuses on compromised targets also used as attack vectors.
  1. Reporting and countermeasures management.
Delivery of documentation on what has been analyzed and suggestions on the adoption of any countermeasures.

I.P.T. REPORT

The report relating to the Internal Penetration Test includes all the documentation provided at the end of the related activity. Figure 4 shows the third step, described above, highlighting the reporting phase intended as the output of the I.P.T. The report will contain the following information:
  • Methods of attack (exploit) used.
A description of the attack methods used and their use in the target environment in order to violate the analyzed systems will be provided. List of actions to eliminate or reduce the vulnerabilities affecting the system.
  • Best practice.
Set of rules and behaviors suggested to maintain a high and acceptable level of safety. These indications may be provided as a list of actions to be performed usually in relation to an activity or as a methodological process in the form of a flow chart.

EXTERNAL PENETRATION TEST (E.P.T.)

TARGET E.P.T.

Based on some considerations, the Target is identified in the perimeter network devices seen as physical separators between the LAN and the Internet ( trusted network and untrusted network). Subsequently it will be possible to modify the Target based on further observations and the result of the V.A. The target object of the proposal includes the following network devices:
  1. Security device.
    1. Firewall.
    2. VPN Terminators.
    3. Access Points / Radio bridges.
  2. Application server

E.P.T. PHASES

  1. Exploiting server application.
This phase is developed on the basis of the information obtained by the EVA .. Based on the analyzes previously obtained, the tiger team selects / implements the appropriate set of attacks in order to compromise the application servers.
  1. Penetrating Network.
The tiger team uses attack techniques to evade Network Security systems.
  1. Privilege escalation.
The tiger team focuses on compromised targets also used as attack vectors.
  1. Reporting and countermeasures management.
Delivery of documentation on what has been analyzed and suggestions on the adoption of any countermeasures.

E.P.T. REPORT

The report relating to the External Penetration Test includes all the documentation provided at the end of the related activity. The report will contain the following information:
  • Methods of attack (exploit) used.
A description of the attack methods used and their use in the target environment in order to violate the analyzed systems will be provided. List of actions to eliminate or reduce the vulnerable ty of which the system is affected.
  • Best practice.
Set of rules and behaviors suggested to maintain a high and acceptable level of safety. These indications may be provided as a list of actions to be performed usually in relation to an activity or as a methodological process in the form of a flow chart.

Customers

Newsletter

{subscription_form_1}