Preloader
 

Our Services

Home / Our Services

Vulnerability assessments

A vulnerability assessment process that is intended to identify threats and the risks they pose typically involves the use of automated testing tools, such as network security scanners, whose results are listed in a vulnerability assessment report.

Organizations of any size, or even individuals who face an increased risk of cyberattacks, can benefit from some form of vulnerability assessment, but large enterprises and other types of organizations that are subject to ongoing attacks will benefit most from vulnerability analysis.

Because security vulnerabilities can enable hackers to access IT systems and applications, it is essential for enterprises to identify and remediate weaknesses before they can be exploited. A comprehensive vulnerability assessment along with a management program can help companies improve the security of their systems.

Importance of vulnerability assessments

A vulnerability assessment provides an organization with information on the security weaknesses in its environment and provides direction on how to assess the risks associated with those weaknesses and evolving threats. This process offers the organization a better understanding of its assets, security flaws and overall risk, reducing the likelihood that a cybercriminal will breach its systems and catch the business off guard.

Types of vulnerability assessments

Vulnerability assessments depend on discovering different types of system or network vulnerabilities, which means the assessment process includes using a variety of tools, scanners and methodologies to identify vulnerabilities, threats and risks.

Some of the different types of vulnerability assessment scans include the following:

  • Network-based scans are used to identify possible network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks.
  • Host-based scans are used to locate and identify vulnerabilities in servers, workstations or other network hosts. This type of scan usually examines ports and services that may also be visible to network-based scans, but it offers greater visibility into the configuration settings and patch history of scanned systems.
  • Wireless network scans of an organization's Wi-Fi networks usually focus on points of attack in the wireless network infrastructure. In addition to identifying rogue access points, a wireless network scan can also validate that a company's network is securely configured.
  • Application scans can be used to test websites in order to detect known software vulnerabilities and erroneous configurations in network or web applications.
  • Database scans can be used to identify the weak points in a database so as to prevent malicious attacks, such as SQL injection attacks.

Vulnerability assessments vs. penetration tests

A vulnerability assessment often includes a penetration testing component to identify vulnerabilities in an organization's personnel, procedures or processes that might not be detectable with network or system scans. The process is sometimes referred to as vulnerability assessment/penetration testing, or VAPT.

However, penetration testing is not sufficient as a complete vulnerability assessment and is, in fact, a separate process. A vulnerability assessment aims to uncover vulnerabilities in a network and recommend the appropriate mitigation or remediation to reduce or remove the risks.

 vulnerability assessment uses automated network security scanning tools. The results are listed in the vulnerability assessment report, which focuses on providing enterprises with a list of vulnerabilities that need to be fixed, without evaluating specific attack goals or scenarios.

Organizations should employ vulnerability testing on a regular basis to ensure the security of their networks, particularly when changes are made, e.g., services are added, new equipment is installed or ports are opened.

In contrast, penetration testing involves identifying vulnerabilities in a network, and it attempts to exploit them to attack the system. Although sometimes carried out in concert with vulnerability assessments, the primary aim of penetration testing is to check whether a vulnerability really exists and to prove that exploiting it can damage the application or network.

While a vulnerability assessment is usually automated to cover a wide variety of unpatched vulnerabilities, penetration testing generally combines automated and manual techniques to help testers delve further into the vulnerabilities and exploit them to gain access to the network in a controlled environment.

External pentestings

An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.

HackLabs’ External Penetration Test follows best practice in penetration testing methodologies which includes:

  • Footprinting
  • Public Information & Information Leakage
  • DNS Analysis & DNS Bruteforcing
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification of Identified Vulnerabilities
  • Intrusion Detection/Prevention System Testing
  • Password Service Strength Testing
  • Remediation Retest (optional)

 

WHY SHOULD I PERFORM AN EXTERNAL PENETRATION TEST?

IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organisation to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorised disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).

The Internet-facing components (website, email servers, etc.) of the organisation’s network are constantly exposed to threats from hackers.

Best Practice requires that each organisation should perform an External Penetration Test in addition to regular security assessments in order to ensure the security of their external network.

INTERNAL PENETRATION TEST

 An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.

HackLabs' Internal Penetration Test follows documented security testing methodologies which can include:

  • Internal Network Scanning
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Manual Configuration Weakness Testing and Verification
  • Limited Application Layer Testing
  • Firewall and ACL Testing
  • Administrator Privileges Escalation Testing
  • Password Strength Testing
  • Network Equipment Security Controls Testing
  • Database Security Controls Testing
  • Internal Network Scan for Known Trojans
  • Third-Party/Vendor Security Configuration Testing

Xhackster' Internal Penetration Test also includes access to the Xhackster' Customer Portal allowing access to various resources to assist in the remediation of discovered security vulnerabilities.

The report generated as the output of this work is designed for both executive/board level and technical staff.

WHY SHOULD WE PERFORM AN INTERNAL PENETRATION TEST?

Internal Penetration testing allows organisations to test, if an attacker had the equivalent of internal access how they may they may have access to perform unauthorised data disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).

The internal network, (file servers, workstations, etc.), of the organisation is exposed to threats such as external intruders, after breaching perimeter defences, or malicious insiders attempting to access or damage sensitive information or IT resources.  Therefore organisations are encouraged to test the internal network at least as frequently as they do the external perimeter.

Best Practice recommends that each organisation perform an Internal Penetration Test as part of their regular Security Program in order to ensure the security of their internal network defenses.

WEB APPLICATION PENETRATION TEST

Web applications have become common targets for attackers. Attackers can leverage relatively simple vulnerabilities to gain access to confidential information most likely containing personally identifiable information.

While traditional firewalls and other network security controls are an important layer of any Information Security Program, they can’t defend or alert against many of the attack vectors specific to web applications. It is critical for an organisation to ensure that its web applications are not susceptible to common types of attack.

Best Practice suggests that an organisation should perform a web application test in addition to regular security assessments in order to ensure the security of its web applications.

Xhackster Web Application Testing methodology is based on the Open Web Application Security Project (OWASP) methodology which includes:

  • Software Infrastructure/Design Weaknesses
  • Input Validation Attacks
  • Cross Site Scripting Attacks
  • Script Injection Attacks (SQL Injection)
  • CGI Vulnerabilities
  • Password Cracking
  • Cookie Theft
  • User Privilege Elevation
  • Web/Application Server Insecurity
  • Security of Plug-In Code
  • 3rd Party Software Vulnerabilities
  • Database Vulnerabilities
  • Privacy Exposures

Xhackster' Web Application Penetration Tests are performed by experienced security engineers who have a vast level of knowledge and many years of experience testing online applications. Xhackster Web application testing metholdology is performed using the best of manual techniques and then using automated tools to ensure total application coverage. The methodology allows Xhackster' consultants be consistent in finding vulnerabilities beyond what may be found with just automated scanning tools.

What is Code Review?

Code Review is a systematic examination, which can find and remove the vulnerabilities in the code such as memory leaks and buffer overflows.

  • Technical reviews are well documented and use a well-defined defect detection process that includes peers and technical experts.
  • It is ideally led by a trained moderator, who is NOT the author.
  • This kind of review is usually performed as a peer review without management participation.
  • Reviewers prepare for the review meeting and prepare a review report with a list of findings.
  • Technical reviews may be quite informal or very formal and can have a number of purposes but not limited to discussion, decision making, evaluation of alternatives, finding defects and solving technical problems.

What is PCI DSS Compliance?

PCI DSS stands for Payment Card Industry Data Security Standard and it was developed by the PCI Security Standards Council to help decrease internet payment card fraud. Any organization that processes cardholder data must comply with PCI DSS. Compliance validation is performed by a qualified security assessor (QSA), by an internal security assessor (ISA), or by a self-assessment questionnaire (SAQ) for companies with smaller volumes of cardholder data.

PCI DSS compliance is a global standard and while it is not mandated by law in the United States, all states have some variation of regulation surrounding cardholder data and non-compliance, more often than not resulting in hefty fines for the company.

Why is PCI DSS Important?

Compliance with PCI DSS means that you are making appropriate steps to protect cardholder data from cyber-theft and fraudulent use. It has as much impact on your business as it does to your customers, because a cyber-attack can mean a potential loss of revenue, customers, brand reputation and trust.

Data breaches are a regular occurrence for small business who are less equipped to put security measures in place. In the UK for example, an Information Security Breaches Survey 2015 found that 74% of small organisations reported a security breach in the last year.

With that in mind, it’s now more important than ever to take responsibility for your customer’s data and make sure you make the appropriate provisions to keep that data secure.

What Do I Need to Do to Become PCI DSS Compliant?

For organizations who want to become PCI DSS compliant, you first need to understand how payment data is captured, stored and organized. Many companies will be using a fully hosted solution to manage this.

Compliance is measured by the merchant or service provider completing an audit of their cardholder data environment against the standard.

As defined by IT Governance, “The standard requires merchants and member service providers (MSP’s) involved with storing, processing or transmitting cardholder data to:

  • Build and maintain a secure IT network;
  • Protect cardholder data;
  • Maintain a vulnerability management program;
  • Implement strong access control measures;
  • Regularly monitor and test networks;
  • Maintain an information security policy.”

These are broken down further into 12 requirements that every merchant or MSP must do in order to be compliant.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.

Include policies, procedures and processes to keep and dispose of data, ensuring that it is always up-to-date and accurate. Some data should never be stored, such as the contents of the magnetic strip, card verification number or personal identification number. Encryption should be used to keep cardholder data secure.

  1. Encrypt transmission of cardholder data across open, public networks.

Examples of this include internet, wireless technologies such as Bluetooth, GPRS and satellite communications.

  1. Use and regularly update anti-virus software or programs.

Protect systems against malware and regularly update antivirus programs to mitigate against viruses, worms and Trojans. Antivirus tools should be implemented, maintained and kept running unless absolutely necessary.

  1. Develop and maintain secure systems and applications.

This means checking for software updates and keeping software up-to-date at all times to safeguard against latest vulnerabilities.

  1. Restrict access to cardholder data by business need-to-know.

Systems and processes need to be put into place for WHO will have access to this data and WHY they need access. Access should only be available to people who need it to perform their role.

  1. Assign a unique ID to each person with computer access.

This means making sure you know who is accessing what at any time, so you can always ensure that only people with proper authorization are allowed in specific systems and components. One way to ensure proper authorization is the use of two-factor authentication for increased security, such as use of smart cards, tokens or biometrics.

  1. Restrict physical access to cardholder data.

Data loss is also possible through physical security breaches, so proper care should be taken to ensure access to physical records are limited and monitored. Server rooms and data centers should be restricted, media should be destroyed and devices that carry data should be protected from tampering as well as monitored.

  1. Track and monitor all access to network resources and cardholder data.

Logging all access is required to detect and minimize the risk of a data breach. Secure and controlled audit trails should be implemented to log all actions from individual users including access to data, privileges, invalid login attempts and changes to authentication mechanisms such as deletion of objects. These logs should all be regularly reviewed.

  1. Regularly test security systems and processes.

Penetration testing is an important part of and IT security team’s tools and should be carried out annually, as well as after any significant changes to the network. These include vulnerability scans, network topology and firewall maintenance.

  1. Maintain a policy that addresses information security for employees and contractors.

Review it twice annually and update it according to any new risk environment. A risk assessment should be carried out to identify any threats or vulnerabilities, so that the policy and incident response plan can be formed. Once formed, an awareness program must be maintained and implemented to share and update staff of any new security protocol.

What Does this Mean for My Business?

Business who are looking to become PCI DSS compliant should follow this checklist by Tripwire. The PCI Security Standards Council also has a great library of resources.

The requirements of compliance for PCI DSS are general cybersecurity best practices. If you aren’t already familiar with the EU law GDPR coming into effect in May 2018, then you should be aware that this has many of the same best practice guidelines in it. You should be looking to have your network and infrastructure protected no matter what size your business in order to be compliant, but also to protect the most valuable asset you have as a business – your data.

Public Key Infrastructure (PKI) is a great way to manage and control your data. Using PKI, you can give an identity or Digital Certificate to all the internal systems and components in your organization that communicate with each other. These certificates can be used to identify and authenticate users, machines and devices to provide greater access control or privilege-based access, encrypt communications and data transmissions and ensure the integrity of transmitted data

Social engineering simulation

  • Simulate a social engineering attack on elements of your organisation
  • Gauge the effectiveness of information security awareness training
  • Improve the resilience of your organisation to social engineering and phishing attacks

The majority of recent high profile cyber attacks against top tier organisations have been successful because they have breached the perimeter through targeted social engineering attacks, otherwise known as ‘spear phishing’.

These attacks identify the contact details of potentially vulnerable people within the organisation and use a specially targeted attack vector which is likely to result in the execution of malicious code. Typically this involves crafting an email which would be of interest to the victim incorporating embedded malware, in the email itself or as an attachment.

Once the code has been executed, it will then use network architecture weaknesses to establish command and control connections with the attacker who can then commence attacks on internal network resources. It is then generally straightforward to identify accessible stores of internal information assets (given access will have been gained with the credentials of the compromised user) and export them over the Internet using usually benign and innocuous protocols such as web connections.

Furthermore, other attack vectors often include using phone calls to staff, usually under the guise of IT personnel or a senior member of staff and attempting to entice them into performing a task that would also have adverse consequences for the organisation’s information security.

A defence-in-depth strategy for the protection of information assets should include all elements of security controls, including physical, procedural and technical. As such, it is essential that personnel within the organisation are adequately briefed on information security awareness, how to identify and report potentially malicious emails and the inherent risks associated with opening them.

The Xhackster simulation will effectively identify an organisation’s susceptibility to social engineering attacks, whether delivered via email, instant messaging, telephone calls or face-to-face within the client’s premises. As part of the assessment, we can use open source intelligence gathering to attempt to identify people within the organisation or target a specific team or function that the client determines should be the subject of the investigation.

We will then systematically target those individuals with a bespoke attack which we believe (in co-ordination with the client) has the highest probability of success. All attempts will incorporate a means to measure the success and may also determine whether it would be possible to breach the architecture and establish outbound command and control connections.

The output of the exercise shall position the effectiveness of information security awareness within the organisation, statistics on successful and unsuccessful attempts, details on whether it was possible to compromise the perimeter and to provide a detailed set of issues alongside pragmatic remedial activities that can be used to make improvements.