Security

Assessment
This Week’s Objectives
• Describe the different types of security
assessments and testing
• Describe steps involved in a typical end-to-
end penetration testing

2
Cybersecurity Protects C.I.A.

• Confidentiality
• Controlling access to data/systems

• Integrity
• Preventing tampering with data/systems

• Availability
• Ensuring access to data/systems
Many Ways Attackers Can Breach C.I.A.
TARGET: Systems
• Malware (e.g., RAT = Remote Access Trojan)
• SQL Injection (SQLi) / Cross-Site Scripting (XSS)
• Remote Access Execution (RCE)
E.g., Buffer overflow (BoF), file upload
• Exploit weak configurations
E.g., Password = cisco, unprotected admin page

TARGET: Humans
• Social Engineering
• Phishing

5
C.I.A. Protection Strategy

Security Solutions

• Intrusion Detection (IDS)

• Firewall and Intrusion
• SIEM (security information and
Protection (IPS)
event management)
• Antimalware
• User/Entity behaviour analytics
• Educating users
• Incident Response
• Design secure systems
• Access control
We will cover these techniques in detail
• Configuration hardening later in the course. For this lecture, we
• Patching and upgrades focus on the question: Are these really
• Write secure code working?

Security Testing
6
Goals of Security Testing

Find weaknesses (or vulnerabilities) in

applications and infrastructure (and fix
them) before the bad guys do.

7
What is a vulnerability?

“A weakness in software, hardware or an

organisation process that can be exploited
by an attacker to compromise the C.I.A. of a
system or its data”

• Software flaw (bug)

• Design error
• Implementation error
• Misconfiguration
Security Assessment
• Testing/evaluation of administrative, physical and technical controls to
determine the extent that they are…
• Implemented correctly
• Operating as intended
• Producing the right outcome
• Produces a prioritised list of actions to improve the security posture of the
organisation
• Performed periodically
There Are Many Types of Assessments

Vulnerability Configuration
Scanning Review

Penetration
Testing Code Review

Architecture
Red Teaming Review

10
Classifying Security Assessments

Black Box White Box

• Zero knowledge of • Full knowledge of architecture and
application/infra access to code
• Focus on exposed • More comprehensive and complete
weakness • Can be time consuming
• Cost effective
• Simulated real attack
• Can miss weaknesses

** Gray Box testing is somewhere in-between (limited knowledge

of implementation stack)

11
Classifying Security Assessments

Automated Manual
• Fast • Interactive
• Cheap • Slow
• Not very accurate • Expensive
(lots of false positives) • More accurate
• No context • Understands context

** Best solution is to combine automated and manual techniques

12
Classifying Security Assessments

Dynamic Static
• Code is executed • Code is not executed
• Interactive with other • Binary static
components (e.g., • Source code static (same as code
database, middleware) review)
• No need to have source • Bytecode static
code • White box
• Black box

13
Classifying Security Assessments

Application-Specific Open-Ended

• Scope is limited to a single • Scope is the whole organisation

application or infrastructure • Can include social engineering
• No social engineering • Can include physical intrusion
• Less expensive • Simulates realistic attack
• Focused on fixing weaknesses • Can combine with blue teaming
in software • More time-consuming and expensive
• Focused on testing holistic defence
including detection and response

14
PENETRATION TESTING

A penetration test,
Vulnerability Configuration
Scanning Review colloquially known as a
pentest or ethical hacking, is
an authorised simulated
Penetration
Code Review
cyberattack on a computer
Testing system, performed to
evaluate the security of the
system.
Architecture
Red Teaming Review Source: wikipedia

15
Penetration Testing Frameworks
Penetration Testing Execution Standard (PTES)
Open Source Security Testing Methodology (OSSTM)
OWASP Testing Guide
PCI (Payment Card Industry) Penetration Testing
Guideline

16
Ethical Hacking Model (PTES=Penetration Testing Execution
Standard)

17
Penetration Testing Phases

Planning

Reconnaissance

Enumeration and
Vulnerability Analysis

Exploitation

Reporting
18
Planning
Pre-Engagement Recon Scanning Exploitation Reporting

• Understanding and agreeing to:

• Scope and Goals
• Constraints
• Timeframe
• Communication procedures
• Methodologies and tools
• Sign engagement letter

19
Reconnaissance
Intelligence Gathering/Foot Printing
Pre-Engagement Recon Scanning Exploitation Reporting

Open Source Intelligence (OSINT)

• Google dorks
• Whois / DNS
• Social Media
• Shodan/Censys/Netcraft
• Kali tools

20
Enumeration and Vulnerability Analysis
Pre-Engagement Recon Scanning Exploitation Reporting

• Active enumeration of hosts and assets

• Ping sweep
• Port scanning
• OS fingerprinting
• Service identification (banner grabbing)
• Identification of vulnerabilities
• Looking up known vulnerabilities (ExploitDB)
• Tools: OpenVAS, Nessus, Nexpose
21
Exploitation
Pre-Engagement Recon Scanning Exploitation Reporting

• Exploit discovered vulnerabilities

• Automated exploitation
• Metasploit
• SQLMap
• Exploit DB
• POC codes
• Manual exploitation
• Social engineering / physical

22
Reporting
Pre-Engagement Recon Scanning Exploitation Reporting

• Rating risks based on impact and ease of attack

• Remediation recommendations
• Context is important!
• What data is leaked? Is it sensitive info?
• Do you need to be inside the network?
• Do you need to have authenticated?

23
Vulnerability Scanning
A vulnerability scan looks for
Vulnerability Configuration known security issues by using
Scanning Review automated tools to match
conditions with known
vulnerabilities.
Penetration Source: wikipedia
Testing Code Review
Vulnerability scanning is a
technique used to identify
Architecture hosts/host attributes and
Red Teaming Review associated vulnerabilities
Source: NIST

24
Vulnerabilities include

Software Bug
• Buffer overflow
• Input validation failures
• Authorisation breakdown
• etc

Misconfiguration
• Default and weak passwords
• Weak protocols
• etc

25
Non-credentialed Credentialed
scanning scanning
• Scans from attacker’s • Require privileged user account
perspective • Verifies internal configurations
• Can only evaluate exposed • Checks software versions
services • Less false positives
• Quick • More comprehensive
• False positives based on
banner information
• Can be destructive or non-
destructive

26
Vulnerability Scanning Tools
Tenable Nessus
Rapid7 Nexpose
OpenVAS
QualysGuard

27
Automated VA
• Commonly scans networks or web applications for known vulnerabilities

• Good for a broad initial sweep of system

• Not perfect
• False positives (automated tools don’t verify, only based on returned info)
• False negatives (automated tools miss stuff)

• Examples: Nessus, OpenVAS, Acunetix

Penetration Testing vs Vulnerability Assessment

• Identifies but do not exploit

• Identifies AND exploits
vulnerabilities
vulnerabilities
• Hypothesise chained attacks
• Often chain vulnerabilities
• Risk assessment based on
• Often use pivot to
likelihood and impact
maximise reach
• More focus on configuration and
patching

29
Cataloguing Vulnerabilities
• CVE - https://cve.mitre.org (moving to cve.org)
o “Common Vulnerabilities & Exposures”
o Maintained by Mitre
o List of publicly disclosed security flaws (vulnerabilities)
o Used to uniquely identify vulnerability and to coordinate efforts
o Links to NVD with more details
• NVD - https://nvd.nist.gov
o “National Vulnerability Database”
o Maintained by NIST
o Details of the vulnerability
✓ Vulnerability score / Links to other analysis / CWE and KEV
CVE - Example
• Unique, common identifiers for publicly known information-security
vulnerabilities in publicly released software packages

THE #MONIKERLINK BUG 32

CVE Example

https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-
microsoft-outlook-and-the-big-picture/
CVSS Rating Scale
Rating CVSS Score

None 0.0

Low 0.1 – 3.9

Medium 4.0 – 6.9

High 7.0 – 8.9

Critical 9.0 – 10.0

35
CVSS Calculator

https://www.first.org/cvss/calculator/3.0

36
CVSS Score Explained
Common Vulnerability Scoring System

CVE unique identifier CVE-YYYY-XXXX

CVSS scoring (0 – 10)

CWE – Vulnerability Category

37
Vector String

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Version
AV: Attack Vector (Physical, Adjacent, Local, Network)
AC: Attack Complexity (Low, High)
PR: Privilege Required (N/Y)
UI: User Interaction (N/Y)
S: Scope (Unchanged/Changed)
C: Confidentiality
I: Integrity
A: Availability

38
Base Metric Group
Exploitability metrics
• How difficult is the compromise
• (AV, AC, PR, UI)

Impact metrics
• Direct consequences of
compromise
• (C, I, A), S

University of Adelaide 39
 Attack Vector (AV)
What sort of access does the attacker need?

i.e. “An attacker can get admin access to the server when connecting
to it from the internet” => Network https://www.first.org/cvss/v3.1/user-guide
Attack Complexity (AC)
How complex is the exploit?

i.e. “The user must position themselves as a man-in-the-middle

for the exploit to work” => High
https://www.first.org/cvss/v3.1/user-guide
User Interaction (UI)
A user, other than the attacker, must participate in the exploit?

i.e. “A user must click a link for the exploit to work” => Required
https://www.first.org/cvss/v3.1/user-guide
 Privileges Required (PR)
What level of privileges are needed?

i.e. “An standard use can gather all user credentials” => Low
https://www.first.org/cvss/v3.1/user-guide
Scope
The ability for a vulnerability in one software component to
impact resources beyond its means, or privileges.

i.e. “A vulnerability in a Linux VM that compromises the host OS”

=> Changed
https://www.first.org/cvss/v3.1/user-guide
 Impact – C.I.A.
How system was impacted

Confidentiality:

Integrity and Availability calculations are (almost) the same as above

https://www.first.org/cvss/v3.1/user-guide
Calculating CVSS
• Weightings and an equation exist to calculate the score
but most people use the calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

• Example: MySQL Stored SQL Injection (CVE-2013-

0375)
– A vulnerability in the MySQL Server database could allow a
remote, authenticated user to inject SQL code that runs with
high privileges on a remote MySQL Server database. A successful
attack could allow any data in the remote MySQL database to be
read or modified. The vulnerability occurs due to insufficient
validation of user-supplied data as it is replicated to remote
MySQL Server instances.
 AV:N
AC:L
PR:L
UI:N
S:C
C:L
I:L
A:N

CVSS Vector:
CVSS:3.1/AV:L/AC:L/PR:L/
UI:N/S:U/C:L/I:N/A:H
Example - Meltdown
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

48
Example – Eternal Blue

49
Other Important Catalogues
• CWE - https://cwe.mitre.org
• Common Weaknesses Enumeration
• Maintained by Mitre
• Catalogue of software and hardware weakness types.
• i.e. CWE-20 – “Improper Input Validation”

• KEV – https://www.cisa.gov
• Known Exploited Vulnerabilities
• Maintained by the Cybersecurity & Infrastructure Security Agency (CISA)
• Used by organisations to prioritise vulnerabilities
CWE – Common Weakness Enumeration
Categories of weaknesses/vulnerabilities
Defined and maintained by MITRE Corporation
Examples:
200 – Information Exposure
20 – Improper Input Validation
332 – Insufficient entropy in PRNG

51
OTHER ASSESSMENT TYPES

52
Vulnerability Configuration
Scanning Review

Penetration
Testing Code Review

Architecture
Red Teaming Review

Red Teaming

53
Red Teaming
Blue Teaming
Purple Teaming
A variant of open-ended penetration testing
Focus on testing the Blue Team capabilities (detection and response)
Purple team allows real-time communication between red and blue team

54
Baseline Configuration Review
Checking configuration of systems against “best practice”
Tools
Microsoft Baseline Security Analyzer (MBSA)
CIS (Center for Internet Security) Benchmarks
Other baseline standards

55
Code Review
• Distinguished from normal code review (e.g., pair programming)
• Use of manual and automated tools to review security of source code
• Automated tools examples
• Bandit (for Python)
• Brakeman (for Ruby on Rails)
• Veracode (various languages)
• Manual verification / review

58
Management and Control Auditing
• User account management (provisioning / de-provisioning)
• Segregation of Duties
• Change management process
• Information security management and KPI reviews
• Compliance against policies, laws and regulations
• Auditing
• Disaster Recovery and Business Continuity Planning

60
Third Party Assurance
SOC Type 1/2/3

Example AWS SOC3 Report:

https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf

61
Lecture 0x03 - Summary
• Different types of security assessments
• Penetration testing steps and methodologies
• Vulnerability assessment
• Code review
• Controls assessment
• Third party assurance

62