Security Assessment & Penetration Testing

Cybersecurity & the CIA Triad

Confidentiality – controlling access to data/systems.
Integrity – preventing unauthorised or accidental tampering.
Availability – ensuring timely, reliable access to assets.
Cyber-defence aims to preserve all three properties simultaneously; testing verifies the efficacy of defences.

How Attackers Breach CIA

System-centric attacks

Malware (e.g. RATs – Remote Access Trojans).
Injection flaws: SQLi, XSS.
Remote Code Execution (RCE) such as buffer overflows, malicious file uploads.
Exploiting weak configurations – default passwords (e.g. $\text{password}=\text{cisco}$ ), exposed admin pages, etc.

Human-centric attacks

Social engineering, spear-phishing, pretexting.

Defence-in-Depth Controls (Selected)

Firewalls, Intrusion Protection Systems (IPS).
Anti-malware suites.
Secure design, secure coding, configuration hardening, timely patching.
Security monitoring: IDS, SIEM, User/Entity Behaviour Analytics (UEBA).
Incident Response playbooks.
User training & awareness.
BUT: “Are these really working?” → need for assessment & testing.

Goals of Security Testing

Identify weaknesses (vulnerabilities) before adversaries do.
Provide actionable remediation guidance to improve the organisation’s security posture.

What is a Vulnerability?

“A weakness in software, hardware or organisational process exploitable to compromise CIA.”
- Software bugs, design or implementation errors, misconfiguration, policy gaps.

Security Assessment – Definition & Purpose

Evaluate administrative, physical and technical controls to gauge:
- Correct implementation.
- Proper operation.
- Desired outcomes (risk reduction).
Produce prioritised improvement actions.
Performed on a periodic or event-driven basis (mergers, new product releases, compliance audits, etc.).

Types of Assessments (High-level)

Vulnerability Scanning.
Configuration / Baseline Review.
Penetration Testing (Ethical Hacking).
Code Review (Source or Binary).
Architecture Review.
Red Teaming (adversary simulation).

Classification Dimensions

Knowledge Model

Black-Box – zero knowledge; emulate external attacker. Cheap, realistic, but may miss deeper flaws.
White-Box – full knowledge (code, architecture). Thorough, time-consuming.
Gray-Box – partial knowledge; balance coverage vs. realism.

Automation

Automated – fast, low-cost, high false-positive rate, no context.
Manual – interactive, accurate, slow, expensive.
Best practice: hybrid approach (automated discovery + manual validation/exploitation).

Execution Style

Dynamic (run-time) – code executes, interacts with subsystems, no source needed; typically black-box.
Static – code not executed; may analyse binary, source or byte-code; typically white-box.

Scope

Application-Specific – single app/infra element, no social engineering, cheaper, focused remediation.
Open-Ended – whole organisation, may include phishing/physical intrusion, tests detection/response; expensive.

Penetration Testing

Authorised, simulated cyber-attack to evaluate security effectiveness.
Also called “pentest” or “ethical hacking”.

Common Frameworks & Standards

PTES (Penetration Testing Execution Standard).
OSSTM (Open Source Security Testing Methodology).
OWASP Testing Guide (web focus).
PCI-DSS Penetration Testing Guideline (payment industry).

PTES / Ethical Hacking Lifecycle

1. Planning / Pre-Engagement

Define scope, goals, constraints, timeframe, rules of engagement (RoE), communication plan.
Toolsets & methodologies agreed; engagement letter / contracts signed.

2. Reconnaissance (Intelligence Gathering)

Open-Source Intelligence (OSINT): Google dorks, WHOIS/DNS harvesting, social networks, Shodan, Censys, Netcraft, public breach data, etc.
Passive (no interaction) vs active information collection.

3. Enumeration & Vulnerability Analysis

Active host discovery – ping sweeps, port scans, OS fingerprinting, banner grabbing.
Map services, versions, potential CVEs.
Use databases (Exploit-DB) & vulnerability scanners (OpenVAS, Nessus, Nexpose) to identify weaknesses.

4. Exploitation

Leverage identified vulnerabilities to gain initial access, escalate privileges, pivot.
Automated toolkits (Metasploit, SQLMap) + manual exploit development.
May incorporate social engineering or physical intrusion if in scope.

5. Post-Exploitation / Reporting

Rate risks by impact & likelihood; contextualise (data sensitivity, required access, network location).
Provide remediation recommendations, proof-of-concept (PoC) artefacts and executive summary.

Vulnerability Scanning

Automated technique to identify hosts, attributes & known vulnerabilities by matching signatures.

Vulnerability Categories

Software bugs: buffer overflows, input validation failures, authorisation logic flaws.
Misconfiguration: default passwords, weak protocols, unnecessary services, etc.

Scan Modes

Non-Credentialed – external attacker viewpoint; sees only exposed services; quick; potential false-positives; can be destructive.
Credentialed – authenticated view; inspects internal configs, patch levels; more comprehensive, fewer false-positives, but requires privileged accounts.

Popular Tools

Tenable Nessus, Rapid7 Nexpose, OpenVAS, QualysGuard, Acunetix (web), etc.

Automated VA – Strengths & Limitations

Broad coverage, repeatable, good first pass.
False positives (tool cannot verify exploitability).
False negatives (unknown or complex vulnerabilities missed).

Nessus Example Highlights

Dashboard lists hosts, $45$ vulnerabilities with critical/high/medium/low/info severities.
Plugins detect outdated Firefox versions, untrusted SSL certificates, DNS hostname leaks, etc.
“Live Results” feature rescans delta without full run.

Pentest vs Vulnerability Assessment

Penetration Test – identifies and actively exploits vulns; chains exploits; pivots; validates reach and impact.
Vulnerability Assessment – identifies but does not exploit; hypothesises attack chains; focuses on risk rating and remediation (patches, config fixes).

Cataloguing Vulnerabilities & Weaknesses

CVE (Common Vulnerabilities & Exposures)

Publicly disclosed flaws get a unique ID $\text{CVE-YYYY-NNNNN}$ .
Managed by MITRE; IDs map to NVD for detailed metadata.
Example: CVE-2024-21413 – Microsoft Outlook RCE; $\text{CVSS}=9.8$ (critical); vector $\text{AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H}$ .

NVD (National Vulnerability Database)

Run by NIST; hosts detailed advisory, CVSS scores, CWE mappings, patch links.

CVSS (Common Vulnerability Scoring System)

Rating Scale

None $0.0$ ; Low $0.1 – 3.9$ ; Medium $4.0 – 6.9$ ; High $7.0 – 8.9$ ; Critical $9.0 – 10.0$ .

Metric Groups

Exploitability – $AV, AC, PR, UI$ .
Impact – $C, I, A$ plus Scope $S$ .

Vector String Syntax

Example: $\text{CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L}$ .

Base vs Temporal vs Environmental

Base – intrinsic properties (vendor neutral).
Temporal – factors that change over time (exploit code maturity, remediation level, report confidence).
Environmental – organisation-specific modifiers (security requirements, compensating controls).

Worked Examples

Meltdown (CVE-2017-5754): vector $AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N$ → Base $5.6$ (Medium).
EternalBlue (CVE-2017-0143): $AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H$ → Base $8.1$ (High).

CWE (Common Weakness Enumeration)

Taxonomy of root-cause weakness types (design/implementation).
Examples: CWE-20 Improper Input Validation, CWE-200 Information Exposure, CWE-332 Insufficient Entropy.

KEV (Known Exploited Vulnerabilities)

CISA-maintained list of CVEs with evidence of active exploitation; helps prioritise patching.

Other Assessment Types

Red / Blue / Purple Teaming

Red Team – adversary simulation (open-ended pentest) aimed at testing Blue Team (defenders).
Blue Team – detection & response operations.
Purple Team – collaborative exercise; real-time knowledge-sharing between red and blue → maximises learning & control improvement.

Baseline Configuration Review

Compare system settings against best-practice benchmarks (e.g. CIS Benchmarks, Microsoft Baseline Security Analyzer).

Code Review (Security-Focused)

Automated static analysis + manual inspection.
Tools: Bandit (Python), Brakeman (Rails), Veracode (multi-language).
Distinct from peer-review for functionality; targets security flaws (injection, crypto misuse, race conditions, etc.).

Management & Control Auditing

Governance processes: user account lifecycle, segregation of duties, change management, KPI reviews.
Compliance alignment with standards (ISO 27001, HIPAA, GDPR), disaster recovery & business continuity plans.

Third-Party Assurance – SOC Reports

SOC 1 – internal controls over financial reporting (used by auditors).
SOC 2 – controls for security, availability, processing integrity, confidentiality, privacy (shared under NDA).
SOC 3 – public summary of SOC 2 (e.g. AWS SOC 3 PDF).
Provides independent attestation of cloud/service-provider controls.