fbpx
0
Penetration Test and Vulnerability Assessment

Penetration Test and Vulnerability Assessment

The Difference Between a Vulnerability Assessment and a Penetration Test

There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist.

I am in the latter group, and what follows is my argument for why you should be too.

Language Matters

Language is important, and we have two terms for a reason. We already have an (aptly named I might add) security test for compiling a complete list of vulnerabilities, i.e. a Vulnerability Assessment. If there isn’t a clear, communicable distinction between this test type and a penetration test then we shouldn’t be using separate terms. Such a distinction does exist, however, and it’s a crucial one.

Clarified Definitions

, The Difference Between a Vulnerability Assessment and a Penetration Test

Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.

The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).

A Physical Analog

The Difference Between a Vulnerability Assessment and a Penetration Test

A good analog for this is a Tiger Team working for the government, like richard marcinko used to run with Red Cell. Think about what his missions were: things like gain control of a nuclear submarine and bring it out into the bay.

So imagine that he’s getting debriefed after a successful mission where he broke in through the east fence, and someone were to ask him about the security of the western side of the building. The answer would be simple:

We didn’t even go to the west side. We saw an opening on the east-facing fence and we went after our target.

If the person doing the debrief were to respond with, “You didn’t check the other fences? What kind of security test is it where you didn’t even check all the fences?”, the answer would be equally direct:

Listen, man, I could have come in a million ways. I could have burrowed under the fences altogether, parachuted in, got in the back of a truck coming in–whatever. You told me to steal your sub, and that’s what I did. If you wanted a list of all the different ways your security sucks, you should have hired an auditor–not a SEAL team.

The Question of Exploitation

Another mistake people make when discussing vulnerability assessments vs. penetration tests is to pivot immediately to exploitation. The basic narrative is:

Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

This is incorrect.

Exploitation can be imagined as a sliding bar between none and full, which can be leveraged in both vulnerability assessments and penetration tests. Although most serious penetration tests lean heavily towards showing rather than telling (i.e. heavy on the exploitation side), it’s also the case that you can often show that a vulnerability is real without full exploitation.

A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could. And vulnerability assessments can slide along this scale as well for any subset of the list of issues discovered.

This could be time consuming, but exploitation doesn’t, by definition, move you out of the realm of vulnerability assessment. The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.

The Notion that Penetration Tests Include Vulnerability Assessments

It’s also inaccurate to say that penetration tests always include a vulnerability assessment. Recall that penetration tests are goal-based, meaning that if you achieve your goal then you are successful. So, you likely perform something like a vulnerability assessment to find a good vuln to attack during a pentest, but you could just as easily find a vuln within 20 minutes that gets you to your goal.

It is accurate to say, in other words, that penetration tests rely on finding a one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulns for that purpose, but because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

Summary

Vulnerability Assessment

  • Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
  • Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
  • Focus: Breadth over depth.

Penetration Test

  • Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
  • Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
  • Focus: Depth over breadth.

Article Provided by: Daniel Miessler

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

0
Domain Hijacking Attacks

Domain Hijacking Attacks

The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.

Under the directive, which appeared a week after a US-CERT warning on the same topic, admins looking after US .gov domains have until 5 February to do all of the following or explain why they can’t:

  • Verify that all important domains are resolving to the correct IP address and haven’t been tampered with.
  • Change passwords on all accounts used to manage domain records.
  • Turn on multi-factor authentication to protect admin accounts.
  • Monitor Certificate Transparency (CT) logs for newly issued TLS certificates that might have been issued by a malicious actor.

The warning mentions domain hijacking campaigns publicised by security companies in November and January, only one of which alluded to targets that might include US government sites.

The DHS warning is more specific:

CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Separately, the CyberScoop website quoted unnamed sources as telling it that at least six US civilian agencies had been “affected by the recent malicious DNS activity”.

Six agencies is a lot, which underlines why the directive is billed as an emergency.

What is domain hijacking?

Domain hijacking has been a persistent issue in the commercial world for years, a prime example of which would be the attack that disrupted parts of Craigslist in November 2014.

In that incident, as in every successful every domain hijacking attack, the attackers took over the account used to manage the domains at the registrar, in this case, Network Solutions.

The objective is to change the records so that instead of pointing to the IP address of the correct website it sends visitors to one controlled by the attackers.

This change could have been made using impersonation to persuade the registrar to change the domain settings or by stealing the admin credentials used to manage these remotely.

It’s a potent attack – web users think they’re visiting the correct website because they’ve typed the correct domain in their address bar and have no reason to doubt where they end up.

For attackers, it’s the perfect crime that avoids the much harder job of having to take over the real website.

DNS hijacking and cache poisoning

DNS can be manipulated in other ways, including DNS hijacking where someone’s browser, computer or home router is compromised to resolve domains via a malicious DNS server, or through cache poisoning in which the same end is achieved either by manipulating address data cached locally on the computer or home router, or at a higher level in the DNS infrastructure itself.

Because the US Government manages thousands of domains through a sprawl of devolved agencies, securing them was never going to be easy.

The added complication is the fact that some agencies are short on staff thanks to the partial government shutdown. Tweeted Chris Krebs of the DHS Cybersecurity and Infrastructure Security Agency (CISA) on this issue:

Article Provided by: Naked Security

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

PCI Compliance Security 2015 Greenville, South Carolina

PCI Compliance

Here is a blog every online business should take a moment to read.(PCI Compliance)

2015 will be a defining year for data security

President Obama’s State of the Union address this week launched a new emphasis on an ever-present threat in our daily lives – cyberattacks, kicking off what will be a defining year for cybersecurity protection, and for us at the PCI Security Standards Council, pivotal in improving the protection of consumers’ payment information globally.

Public-private collaboration and information sharing, education and awareness and leveraging the most secure technology as emphasized by the president are critical to protecting customers against the type of massive breaches we saw in 2014.  As the standard-setting organization for payment security, we are leading the charge to provide the standards and resources to help businesses secure this information.

Too many CEO’s are learning this lesson the hard way.  For American corporate executives moving forward, data security is job security.  Companies that fail to make data protection an everyday priority run the risk of losing money, losing business and destroying their reputations.

The good news is we know what works and what doesn’t.  In recent years, we at PCI have not seen any data breaches that weren’t predictable.  On the contrary, problems arise from a failure to maintain key security controls and a lack of vigilance.  Simply put, most data security breaches involving credit card data are not sophisticated attacks at all, nor are they new tactics.  Far too many of the recent major breaches we have seen in the United States were entirely preventable.

Something as simple as a password can cause problems. A recent study by Trustwave reported that the most popular numeric password used by the American business community is 123456.  The word ‘password’ remains one of the most commonly used passwords.  It wouldn’t take a very sophisticated hacker to crack that code

Fortunately, data security is now becoming a top-level issue, from the White House to Congress to corporate suites across America. President Obama’s speech this week will further drive the national conversation

Many companies need to change the way they view security issues. Passing a PCI Standards assessment is a first step, but properly following security standards 24/7 is required to prevent data breaches. Not all companies do that, thinking instead that once they check the box of passing a data security assessment their work is over. This kind of thinking is a major problem.  Data security cannot just be a “box you check” once or twice a year.  It has to be an all-day, everyday priority.  Protecting data is no longer a simple task that companies can just leave to the IT Department.

EMV Chip Technology

In 2015 America will take a major step by implementing EMV chip technology for consumers.  This is a critical step forward and will provide better data protection by adding a new additional layer of security.  EMV chip technology, which is already in use throughout much of the advanced world, provides consumers with strong security features. It helps businesses lock down their point of sale and provides protection against fraudulent transactions in face-to-face shopping environments.  However, while EMV chip technology is an additional layer in data security protection, it doesn’t solve every problem.  We should not be fooled into believing it is the magical technology that eliminates data security threats.  It isn’t.

EMV chip technology will not prevent fraud when a card is used online or in mail and telephone order purchases.  EMV technology also would not prevent breaches that involve targeted malware.

No one single technology is the answer. As we look towards the White House Cyber Security Summit at Stanford University next month, it is important for American businesses to prioritize strong security principles by maintaining a multi-layer security approach that involves people, process and technology working together to protect consumers.

It’s time for a change in the mindset about data security. Vigilance must be an everyday priority.

Article Provided by The Hill

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Zaxby's photo, Data Breach, Video Surveillance, Data Breech, Greenville, South Carolina

Zaxby’s Data Breach – PCI Compliant

ATHENS, Ga. — Zaxby’s Franchising Inc. says a computer data breach has occurred at a number of its stores, including more than 40 in Georgia, and that malware files could have been used to export guest names and credit and debit card numbers.

The Athens, Ga.-based restaurant chain said in a press release on its website that credit card processing companies identified certain Zaxby’s locations as common points of purchase for some fraudulent credit card activity.

RELATED | Zaxby’s named 5th largest ‘fast casual’ chain in U.S.

Affected locations include Zaxby’s restaurants in Alpharetta, Atlanta, Braselton, Bremen, Buford, Canton, Conyers, Dacula, Dalton, Dawsonville, Fairburn, Fayetteville, Kennesaw, Lithia Springs, Lithonia, Marietta, Milton, Norcross, Powder Springs, Roswell, Tucker and Villa Rica.

See a complete list of affected stores.

The press release says, “Zaxby’s Franchising, Inc. assisted those stores in reviewing the issue, and during the course of the investigation (Data Breach) identified some suspicious malware files on the licensees’ computer systems at several Zaxby’s locations. Because those malware files could have been used to export guest names and credit and debit card numbers, Zaxby’s Franchising, Inc. informed appropriate law enforcement authorities of the potential criminal activity. Zaxby’s Franchising, Inc. is working with all of its store locations to implement additional security measures to prevent further intrusions.”

(Atlanta Business Chronicle)

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

Light-Blub Innovision, Greenville, South Carolina

Computer Hacking Liability – Are You At Risk?

Innovision logo, Liquid Video Technologies, Greenville, South Carolina

Presented by McNair Law Firm, P.A.

Please join us for the
InnoVision Forum:

Computer Hacking Liability – Are You At Risk?
What To Do To Avoid Data Breaches and Hacking and
What To Do If You are Hacked

From the US Government to the State of South Carolina, companies and organizations of all sizes are under attack from Computer Hacking. The threat of these attacks has escalated so that cyber security professionals admit it is almost impossible to achieve 100% prevention.  According to Verizon’s 2011 report, small and medium sized businesses, as well as governments and municipalities, are the main targets.  Please join us to discuss the legal liability associated with hacking for you and your company, leading edge prevention measures to avoid hacking, and what your obligations are in the event that a breach is suspected or discovered.  We will also discuss the role of the financial institution in these circumstances.

PANEL INCLUDES:

Douglas W. Kim
Attorney
McNair Law Firm, P.A.

 

  • Doug will discuss the current laws concerning security requirements including the Red Flag Rules, PCI Compliance, South Carolina specific laws and recent cases involving hacking.  His discussion will include the recent case where a bank was required to repay monies lost to a customer due to hackers ($345,000.00).

Frank Mobley
Founder and CEO
Immedion, LLC

 

  • Frank will discuss current IT security risks and the prevalence and method of hacking.  He will also include information on how you can better protect your organization against illicit and illegal attempts to garner private information.

Deveren Werne
Founder of Mojoe.net and
Principal of Liquid Video Technologies, Inc.

 

  • Deveren will explain PCI compliance for businesses such as why a business should be PCI compliant and, if not, what are the repercussions of not being compliant, and what a business should do to become compliant from hardware to software perspective.

Wednesday, January 9, 2013
3:00 pm – 5:00 pm Presentations ~ 5:00 pm – 7:00 pm Networking
Location – McNair Law Firm, P.A., Poinsett Plaza, Suite 700, 104 S. Main Street, Greenville, SC

Seating is limited, so please respond early

RSVP to Kathy Ham by email: kham@mcnair.net or by phone: (864) 552-9345

Founding Sponsor:

Deloitte Founding Sponsor of InnoVision Awards

www.innovisionawards.org
Celebrating excellence. Honoring distinction. Applauding innovation.

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

security breach, Greenville, South Carolina

Security Breach

Security Breach – South Carolina

COLUMBIA — Last week South Carolina’s Department of Revenue Director (DOR) Jim Etter announced that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers had been exposed in a cyber attack.

Governor Nikki Haley, South Carolina Law Enforcement Division (SLED) Chief Mark Keel and Etter briefed reporters earlier this week on the S.C. DOR information security breach and outlined additional consumer safety solutions, including extended fraud resolution and coverage for dependents who are minors, available to South Carolina taxpayers.

As of Tuesday morning, the Experian call center set up to assist South Carolina taxpayers had received approximately 533,000 calls and approximately 287,000 sign-ups for Experian’s ProtectMyID program. Access to unlimited fraud resolution beyond the one year enrollment period is included in Experian’s ProtectMyID membership and available to any taxpayer affected by DOR’s information security breach. Taxpayers who sign up for protection will also be notified — by email or letter — about how to sign up for a “Family Secure Plan” if they claim minors as dependents.

Gov. Haley and Chief Keel reiterated that anyone who has filed a South Carolina tax return since 1998 should take the following steps:

• Call 1-866-578-5422 to enroll in a consumer protection service. (The call center is open 9:00 a.m. – 9:00 p.m. EST on Monday through Friday and 11:00 a.m. – 8:00 p.m. EST on Saturday and Sunday.)

• For any South Carolina taxpayer who wishes to bypass the telephone option, there currently is an online service available at http://www.protectmyid.com/scdor. Enter the code SCDOR123 when prompted. South Carolina taxpayers have until the end of January, 2013 to sign up.

Experian’s ProtectMyID™ Alert is designed to detect, protect and resolve potential identity theft, and includes daily monitoring of all three credit bureaus. The alerts and daily monitoring services are provided for one year, and consumers will continue to have access to fraud resolution agents and services beyond the first year. Complimentary 12-month ProtectMyID memberships available to South Carolina taxpayers affected by the DOR information security breach include:

• Credit Report: A free copy of your Experian credit report.

• Daily 3 Bureau Credit Monitoring: Alerts you of suspicious activity including new inquiries, newly opened accounts, delinquencies, or medical collections found on your Experian, Equifax® and TransUnion® credit reports.

• Identity Theft Resolution: If you have been a victim of identity theft, you will be assigned a dedicated, U.S.-based Experian Identity Theft Resolution Agent who will walk you through the fraud resolution process, from start to finish.

• ExtendCARE: Full access to the same personalized assistance from a highly-trained Fraud Resolution Agent even after your initial ProtectMyID membership expires.

• $1 Million Identity Theft Insurance: As a ProtectMyID member, you are immediately covered by a $1 Million insurance policy that can help you cover certain costs including, lost wages, private investigator fees, and unauthorized electronic fund transfers.

Liquid Video Technologies can protect your network and information from Security Breaches.

Read more: The Cheraw Chronicle – State officials update security breach

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com