VULNERABILITY ASSESSMENT AND PENETRATION TESTING

It is an efficient way to assess business risk and improve their security posture. Penetration testing will help an organization in evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

 Get detailed analysis of your current exposure to breaches that threaten critical information and assets.

 Identify critical security vulnerabilities and address them.

 Get practical and relevant technical information on how these vulnerabilities can be fixed.

 Assurance to client and business partners that your solution is secure.

 Helps your organization conform to legal and industry regulations.

 Maintan security levels mandated by common standards such as ISO27001, Sarbanes-Oxley, HIPAA and Payment Card Industry Data Security Standard.

Lemuria Infosec uses the following methodology for conducting Vulnerability Assessment and Penetration assessment for your organization:

 External Penetration Testing is the traditional approach focused on the servers, infrastructure and the underlying software comprising the target. It may be performed with no prior knowledge of the site (black box) or with full disclosure of the topology and environment (crystal box).This type of testing should typically involve a comprehensive analysis of publicly available information about the target and a network enumeration phase where target hosts are identified, analyzed and vulnerabilities within the target hosts or applications should then be verified and the implications assessed. This assessment helps an organization to evaluate their preparedness against real attacks and significantly reduce IT security costs and provide a better return on IT security investment (ROSI) by identifying and resolving vulnerabilities and weaknesses. These may be known vulnerabilities in the underlying technologies or weaknesses in the design or implementation.

 Internal Security Assessment follows a similar methodology to external testing, but provides a more complete view of the site security. Testing will typically be performed from a number of network access points, representing each logical and physical segment. For an example, this may include tiers and DMZ’s within the environment, corporate network or partner company connections.Penetration testing also referred to as pentest, it is a structured methodology used by individuals and organizations to evaluate the security for a computer system or network by simulating attacks from an internal or external threat agent. A penetration test is the best method of identifying security loopholes (vulnerabilities) which could lead to breach of the confidentiality, integrity and availability of information assets of the organization. Penetration tests are performed by trusted individuals who simulate the working of malicious users or intruders (hackers) simulating various attacks based on the information they gather during the testing period. The results of the attacks and tests performed are documented in a formal report which is provided to the owner of the network or computer system. The report may also provide recommendations and mitigation for the identified vulnerabilities or loopholes.

A Penetration Test Would Typically Include:

 Planning: After the planning and scoping of the penetration test the next step is to gather as much as information possible about the target systems and networks. The activities performed in this phase may include:

 Information Gathering: After the planning and scoping of the penetration test the next step is to gather as much as information possible about the target systems and networks. The activities performed in this phase may include:

 Network discovery — Discovering and gathering information about the target network and systems available on a particular network.

 Network scanning — Using automated tools to perform external or internal scanning of a network to gather information such as open ports on the target systems, server banners, operating system in use, etc.

 Vulnerability Identification: After gathering all relevant information about the target systems in the first stage, the next phase in which the penetration tester determines the vulnerabilities and loopholes that exist in these systems. A well done analysis will be performed on the information gathered to see if there are any existing vulnerabilities. This is called manual vulnerability identification or scanning.

 Exploitation: Exploitation phase would typically aim in compromising of information by breaching security controls and gaining access to system. After gaining access to the system elevation of privileges to gain maximum privileges. Exploitation phase would also include password cracking to penetrate into system.

 Analysis and Reporting: After the completion of all the stages mentioned above the next stage is to create a report or reports that would be presented to the management and/or the other technical staff. The penetration testing reports are highly confidential in nature and therefore it is distributed to the intended recipients only.

Mobile Application Security

 Mobile application security focuses on the software security posture of mobile apps on various platforms like Android, iOS, and Windows Phone. This covers applications that run both on mobile phones as well as tablets. It involves assessing applications for security issues in the contexts of the platforms that they are designed to run on, the frameworks that they are developed with, and the anticipated set of users (e.g., employees vs. end users). Mobile applications are a critical part of a business’s online presence and many businesses rely entirely on mobile apps to connect with users from around the world.

 More users than ever before rely on mobile applications for a majority of their digital tasks over traditional desktop applications. In 2015 in the U.S. alone, users spent 54% of their digital media time on mobile devices actively using mobile apps. These applications have access to large amounts of user data, much of which is sensitive data and must be protected from unauthorized access. All popular mobile platforms provide security controls designed to help software developers build secure applications. However, it is often left to the developer to choose from myriad of security options. A lack of vetting can lead to security feature implementation that can be easily circumvented by attackers

Common issues that affect mobile apps include:
 Storing or unintentionally leaking sensitive data in ways that it could be read by other applications on the user’s phone.

 Implementing poor authentication and authorization checks that could be bypassed by malicious applications or users.

 Using data encryption methods that are known to be vulnerable or can be easily broken

 Implementing poor authentication and authorization checks that could be bypassed by malicious applications or users.

Application Security

 Web Application Firewall (WAF): WAF solution delivers cyber security that protects all your data and applications. It also enables you to discover assets and risks, protect your most valuable information – such as intellectual property, business plans, trade secrets, customer and employee information that drives your business.

 Source Code Review (Dynamic and Static): More than 80% of today’s cyber-attacks target applications. This makes a case for an integrated, holistic approach to application security which is crucial for agile development.

 Vulnerability Assessment: Web Applications have recorded a huge growth in the recent time. The risk and concern over the security of the web applications have grown as the web applications may expose customer information, financial data and other sensitive and confidential data if not configured properly. Ensuring that web applications are secure is a critical need for organizations today.

 Application Delivery Controller: An application delivery controller is a device that is typically placed in a data center between the firewall and one or more application servers (an area known as the DMZ). First-generation application delivery controllers primarily performed application acceleration and handled load balancing between servers. The latest generation of application delivery controllers, handles a much wider variety of functions, including rate shaping and SSL offloading, as well as serving as a Web application firewall.

Overview

A secure code review is a specialized task involving manual and/or automated review of an application’s source code in an attempt to identify security-related weaknesses (flaws) in the code.

Secure code review process into two different techniques

Automated tool based/ Black Box: In this approach, the secure code review is done using different open source/commercial tools. Mostly developers use them while they are coding, but a security analyst may also take help of them. Tools are very useful while doing code review when we implement the secure SDLC process in the organization and provide the tool to developers themselves to do a “self-code” review while they are coding. Also, the tools are useful in analyzing large code base (millions of lines). They can quickly identify potential insecure pieces of code in the code base, which may be analyzed by the developer or a security analyst.

Manual/ White Box: In this technique, a thorough code review is performed over the whole code, which may become a very tedious and tiresome process. But in this process, logical flaws may be identified which may not be possible using automated tools, such as Business Logic Problems. Automated tools are mostly capable of finding technical flaws such as injection attacks but may miss flaws like authorization problems. In this process, instead of going line by line through whole code base, we can concentrate on potential problems in the code. Those potential vulnerabilities can be given a high priority.
The best approach will be a mix of both, depending on the volume and criticality of data. In today’s world where many complex applications are developed, we can’t ignore any of the above mentioned techniques.