Vulnerability Assessment and

Penetration Testing
Abu Sadat Mohammed Yasin
Programmer/Asst.Systems Analyst (DD)
Information Systems & Development Department
Bangladesh Bank, Head Office.
 Introduction
• IT/Computer/Cyber Security.
• Security is a journey and not a destination.
• CIA Triad.
•Confidentiality (being safe
from unauthorized access)
•Integrity (correctness and
comprehensiveness of data)
•Availability (resources are
always available to
authorized user)
 What Is Vulnerability Assessment and
Penetration Testing?
• Vulnerability
• VAPT are two types of vulnerability testing.
– Vulnerability Assessments
– Penetration Testing
 Vulnerability Assessment
• Search systems for known vulnerabilities.
• Vulnerability Assessment/Scans/Testing
• It’s a process to probe system from known
vulnerabilities.
 Process of Vulnerability Assessment
1. Goals & Objectives
2. Scope
1. Black Box Testing
2. White Box Testing
3. Gray Box Testing
3. Information Gathering
4. Vulnerability Detection
5. Information Analysis and Planning
 Types of Vulnerabilities Assessment
1. Host Based
2. Network Based
3. Database Based
 Benefits of Vulnerability Assessment
• Some freeware tools are available.
• Identifies almost all known vulnerabilities
• Extremely automated for scanning.
• Easy to run on a regular basis.
 Weaknesses of Vulnerabilities
Assessment
• Have high false positive rate.
• Easily detect by Intrusion Detection System
firewall.
• Cause a denial of services by generating bulk
of packets.
• Often fail to notice latest vulnerabilities.
 Tools for Vulnerability Assessment
• OpenVAS
– The scan engine of OpenVAS is updated with the Network
Vulnerability Tests on a regular basis.
– OpenVAS scanner is a complete vulnerability assessment tool that is
used to spot issues related to security in the servers and other devices
of the network.
• Nmap
– Nmap (Network Mapper) is a free and an open source security
scanner used to determine hosts and services on a network by
structuring the map of the computer network.
• Wireshark
– Wireshark has a special feature like it captures the issues online and
performs the analysis offline
– Wireshark has the capability of deeply inspecting many protocols with
further more added all the time.
 Penetration Testing
• Attempts to exploit vulnerabilities to
penetrate a system.
• Penetration Testing/Ethical Hacking.
 Methodology of Penetration Testing
• A zero-knowledge Test
• A full knowledge Test
• A partial knowledge Test
 Process of Penetration Testing
1. Scope test Plan.
2. Identify Potential Vulnerabilities.
3. Attempt Vulnerability Exploitation.
4. Document Finding
5. Provide Detailed and Remediation Steps
6. Populate Workflow Management Portal
 Penetration Testing Strategies
• External Testing
• Internal Testing
 Benefits of Penetration Testing
• Test network or system using the tools and
techniques that attackers use.
• Demonstrate at what depth vulnerabilities can
be exploited.
• Validate vulnerabilities.
• Can provide the realism and evidence needed
to address security issue.
Weaknesses of Penetration Testing
• Labor intensive, require great expertise.
• Dangerous when conducted by inexperienced
tester.
• Revel source code to third party.
• Expensive.
• Some tools and methods may be banned by
agency regulation.
• Conducted in limited time period.
• If a service is not tested then there will be no
information about its security or insecurity.
 Tools for Penetration Testing
• Sqlmap
– detect and exploite SQL injection.
• Kali Linux
– Opensource Operating System including various free tools.
• Aircrack-ng
– analyzing the weaknesses in a WiFi network.
– WEP and WPA-PSK keys, can be cracked by using this tool.
• Netsparker
– Identify vulnerabilities such as SQL Injection and Cross-site Scripting in web
applications and web APIs.
– verifies the identified vulnerabilities proving they are real and not false
positives.
• Metasploit
– One of the most advanced and popular Framework.
– It can be used on web applications, networks, servers etc
– works on Linux, Apple Mac OS X and Microsoft Window
 Vulnerability Assessment Vs
Penetration Testing
Basis Vulnerability Assessment Penetration Testing
Definition Automatically identify weaknesses Penetration testing is a form of stress
via a software rather than manually. testing
which exposes weaknesses.
Strengths Run easily and quickly, freeware or Imitate actual attacker process to
inexpensive tools available. extend possible. Expensive, need
special experts.
Scope It will stop just before compromising It will go as far as they can within
a system. the scope of the contract.
Task Searches and checks the underlying Intends to exploit the vulnerabilities
design to detect holes. to probe the damage that could
result from the VA.
At least quarterly, especially after Once or twice a year, as well as
new equipment is loaded or the anytime the Internet-facing
Frequency
network undergoes significant equipment undergoes significant
changes changes
 Vulnerability Assessment Vs
Penetration Testing
Basis Vulnerability Assessment
Focus Lists known software
vulnerabilities that could be
exploited
Performed by Typically conducted by in-house
staff using authenticated
credentials; does not require a
high skill level
Value Detects when equipment could
be compromised
Report A comprehensive technical
report that includes all identified
vulnerabilities, risk rankings, and
recommended remediation
activites.
Penetration Testing
Discovers unknown and
exploitable weaknesses in normal
business processes
Best to use an independent
outside service and alternate
between two or three; requires a
great deal of skill
Identifies and reduces
weaknesses
A targeted summary narrative
that includes the successful attack
vector and recommended
remediation activities to close
that attack vendor.
Reasons for Vulnerability Existence
• Insecure coding practices
• Developer education not focused on security
• Limited testing budget and scope
• Disjoined security processes
• More resources outside than inside
• Misconfigurations
• Not updated.
 Different Types of Vulnerabilities
• Missing data encryption
• OS command injection
• SQL injection
• Buffer overflow
• Missing authentication for critical function
• Missing authorization
• Unrestricted upload of dangerous file types
• Reliance on untrusted inputs in a security decision
• Cross-site scripting and forgery
• Download of codes without integrity checks
• Use of broken algorithms
• URL redirection to untrusted sites
• Path traversal
• Bugs
• Weak passwords
• Software that is already infected with virus
 Different Types of Attacks
• Denial-of-service (DoS) and distributed denial-of-
service (DDoS) attacks
• Man-in-the-middle (MitM) attack
• Phishing and spear phishing attacks
• Drive-by attack
• Password attack
• SQL injection attack
• Cross-site scripting (XSS) attack
• Eavesdropping attack
• Birthday attack
• Malware attack
 How VAPT Conduct
• Cyber Security Research Lab
• Computer Emergency Readiness Team
(CERT)
• Internal & External
• Consultant
• BGD eGov CERT
 Why?
• ICT Security Policy
• Avoid network downtime due to breach.
• CIA Triad
• Enhancive effectiveness of an overall security
life cycle.
• Provide a strong basis for helping to
determine appropriate security budgets.
Live Demonstration
Thank You