Successful Security Assessment Programs
Recently I gave a presentation at the “SANS Penetration Testing Summit ” titled "Zen and The Art Of An Internal Penetration Testing Program". This presentation outlines the steps required to create a successful program and perform internal penetration testing. There are several key components that must exist to create a successful program:
- Getting Management Buy-In - This is the first and most important step. Management must understand the testing strategy and be kept in the loop on the results and remediation. Business units must also be consulted to determine the impact scanning will have on their environment to establish a schedule for scanning. It does not matter what kind of testing you plan to perform, from vulnerability scans with Nessus to full-blown penetration testing, you must get the approval from management.
- Identify The Types Of Testing You Will Perform - This step is essential as it helps you define goals and develop a plan to accomplish them. To have a successful test you must accurately define the targets, enumerate the services, and determine the operating system of the hosts you will be testing. Without this information it is difficult to determine the vulnerabilities and associated risk each host/service will present. Nessus, in conjunction with Security Center and PVS, is a great tool to collect this information. There are several methods of target identification and service enumeration included in these products. The Security Center console provides an interface to manage the scanning and produce reports.
- Create A Workflow For Reporting - Reports are similar to logs in that they are only useful if the right people are reading them. There are two important points with respect to report workflow. First, make sure the group responsible for the security and administration of the systems you are testing is made aware of your findings and given a chance to respond before the report goes to their management. Making administrators look bad tends to foster resentment instead of cooperation. Second, create a management plan to remediate all of the vulnerabilities. It is counterproductive to find vulnerabilities and not work with the respective teams to implement the appropriate fixes.
The presentation also provides several tips for internal penetration testing, including:
- Target identification
- Detect OS & Services
- Identify Vulnerabilities
- Exploitation
- Post-Exploitation
- Reporting
In my experience, Nessus has been a key component to an internal penetration or vulnerability assessment program. It automates a key portion of the testing, allowing you to find the areas of risk in your network and remediate them on a regular basis. You can download the slides from my presentation and use them as a guide to create your own internal assessment program.
References
Related Articles
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
