Information Technology Security & Privacy (COSC 3796)

School of Computer Science and Technology

Algoma University, Sault Ste. Marie
Fall 2024

TITLE: PENETRATION TESTING, RULES OF ENGAGEMENT AND

VULNERABILITY SCANNING
LECTURE NO. 2

INSTRUCTOR: DR. MUHAMMAD AZAM

Module Objectives

1 2 3 4
1.Understand 2. Identify the 3. Understand 4. Understand
what a rules of Vulnerability Different
Penetration test is engagement and scanning vulnerability
how to perform a resources
pen test
  Studying penetration testing
involves:
 Defining what it is and why
such a test should be conducted
Penetration
 Examining who should perform
Testing
the tests and the rules for
engagement
 Knowing how to perform a
penetration test
  Penetration testing attempts to exploit
vulnerabilities in order to help:
 Uncover new vulnerabilities
 Provide a clearer picture of their nature
 Determine how they could be used against
Defining the organization
Penetration  The most important element in a “pen test” is the
first step: planning
Testing
 A lack of planning can result in creep, which
is an expansion beyond the initial set of the
test’s limitations
 The most dangerous result of poor planning
is creating unnecessary legal issues
  Internal Security Personnel
 Advantages to using internal employees
include:
 There is little or no additional cost
 The test can be conducted much more
quickly
Who should  An in-house pen test can be used to
enhance the training of employees and
perform the test raise the awareness of security risks
 Disadvantages of using internal security
employees:
 Inside knowledge
 Lack of expertise
 Reluctance to reveal
  External Pen Tester Consultants
 Contracting with an external pen testing
consultant offers the following advantages:
 Expertise

 Credentials

 Experience

 Focus
Who should
 A disadvantage of using external consultants
perform the test (2) is the usage of the information uncovered
A contractor who conducts a pen test
learns all about an organization’s
network and may receive extremely
sensitive information about systems and
how to access them
 This knowledge could be sold to a
competitor
  Crowdsourced Pen Testers
 A bug bounty is a monetary reward given
for uncovering a software vulnerability
 Bug bounty programs take advantage of
crowdsourcing, which involves obtaining
input into a project by enlisting the services
of many people through the internet
Who should  Advantages of crowdsourced pen testers
perform the test (3) include the following:
 Faster testing, resulting in quicker
remediation of vulnerabilities
 Ability to rotate teams so different
individuals test the system
 Option of conducting multiple pen tests
simultaneously
  Rules of engagement in a penetration test
are its limitations or parameters
 Categories for rules of engagement are:
 Timing

Rules of  Scope
 Authorization
Engagement
 Exploitation

 Communication
 Cleanup

 Reporting
  Timing
 The timing parameter sets when the
testing will occur
 Some considerations include: the start
and stop dates of the test and should the
active portions of the pen test be
conducted during normal business hours
Rules of  Scope
Engagement (2)  Scope involves several elements that
define the relevant test boundaries:
 Environment
 Internal targets
 External targets
 Target locations
 Other boundaries
  Authorization
 Authorization is the receipt of prior written approval to
conduct the pen test
 A formal written document must be signed by all
parties before a pen test begins
 Exploitation

Rules of  The exploitation level in a pen test should be part of the

scope that is discussed in the planning stages

Engagement (3)  Communication

 The pen tester should communicate with the
organization during the following occasions:
 Initiation
 Incident response
 Status
 Emergency
  Cleanup
 The pen tester must ensure that everything
related to the pen test has been removed
 Cleanup involves removing all software agents,
scripts, executable binaries, temporary files,
and backdoors from all affected systems
 Any credentials that were changed should be
restored and any usernames created should be
Rules of removed
 Reporting
Engagement (4)  Once the pen test is completed, a report should
be generated to document its objectives,
methods used, and results
 The report should be divided into two parts:
 An executive summary designed for a less
technical audience
 A more technical summary written for
security professionals
Rules of Engagement (5)
  Performing a successful pen test
involves determination, resolve, and
perseverance
Performing a  A variety of actions take place when
performing a pen test, however, they can
Penetration Test (1) be grouped into two phases:
 Reconnaissance
 Penetration
  Phase 1: Reconnaissance
 The first task is to perform preliminary
information gathering from outside the
organization (called footprinting)
 Information can be gathered using two methods:
active reconnaissance and passive
reconnaissance
Performing a  Active reconnaissance involves directly probing
for vulnerabilities and useful information
Penetration Test (2)  War driving is searching for wireless signals
from an automobile or on foot while using a
portable device
 War flying uses drones, which are officially
known as unmanned aerial vehicles (UAVs)
 A disadvantage of active reconnaissance is that the
probes are likely to alert security professionals
that something unusual is occurring
  Phase 1: Reconnaissance (continued)
 Passive reconnaissance occurs when the tester
uses tools that do not raise any alarms
 This may include searching online for publicly
accessible information called open source
intelligence (OSINT) that can reveal valuable
insight about the system
 Phase 2: Penetration
Performing a
 A pen test is intended to simulate the actions of a
Penetration Test (3) threat actor
 The initial system compromised usually does not
contain the data that is the goal of the attack
 That system usually serves as a gateway for entry
into an organization's network
 Once inside the network, threat actors turn to
other systems to be compromised until they reach
the ultimate target
  Phase 2: Penetration (continued)
 Lessons to be learned from how threat actors
work include:
 When a vulnerability is discovered, the
pen tester must determine how to pivot
(turn) to another system using another
vulnerability to continue moving toward
Performing a the target
Penetration Test (4)  Vulnerabilities that are not part of the
ultimate target can still provide a gateway
to the target
 Pen tests are manual, therefore, a pen
tester needs to design attacks carefully
 Pen testers must be patent and persistent,
just like the threat actors
  Vulnerability scanning in some ways,
complements pen testing
 Studying vulnerability scanning involves
understanding:
Vulnerability
 What it is
Scanning  How to conduct a scan
 How to use data management tools
 How threat hunting can enhance scanning
  A penetration test is a single event using
a manual process often performed only
What is after a specific amount of time has
passed
Vulnerability  A vulnerability scan is a frequent and
Scanning ? ongoing process that continuously
identifies vulnerabilities and monitors
cybersecurity progress
  Conducting a vulnerability scan involves:
 Knowing what to scan and how often
 Selecting a type of scan
 Interpreting vulnerability information
Conducting a  When and What to Scan

Vulnerability  Two primary reasons for not conducting around-

the-clock vulnerability scans:
Scanning ?  Workflow interruptions
 Technical constraints
 A more focused approach is to know the location
of data so that specific systems with high-value
data can be scanned more frequently
 Conducting a
Vulnerability Scanning (2)
  Because a vulnerability scan should be
limited, a configuration review of
software settings should be conducted
 Define the group of target devices to
Conducting a be scanned
Vulnerability  Ensure that a scan should be
Scanning (3) designed to meet its intended goals
 Determine the sensitivity level or the
depth of a scan
 Specify the data types to be scanned
  Types of Scans
 Two major types of scans are credentialed scans and
intrusive scans
 In a credentialed scan, valid authentication credentials
are supplied to the vulnerability scanner to mimic the
work of a threat actor who possesses these credentials
 A non-credentialed scan provides no such
Conducting a authentication information
 An intrusive scan attempts to employ any
Vulnerability vulnerabilities that it finds

Scanning (4)  A nonintrusive scan does not attempt to exploit the

vulnerability but only records that it was discovered
 Vulnerability Information
 Vulnerability scanning software compares the software
it scans against a set of known vulnerabilities
 Vulnerability information is available to provide
updated information to scanning software about the
latest vulnerabilities
  Examining Results
 When examining the results of a vulnerability scan, you
should assess the importance of vulnerability as well as
its accuracy
 Questions that may help identify which vulnerability
needs early attention:
 Can the vulnerability be addressed in a reasonable
amount of time?
Conducting a  Can the vulnerability be exploited by an external
threat actor?
Vulnerability  If the vulnerability led to threat actors infiltrating
Scanning (5) the system, would they be able to pivot to more
important systems?
 Is the data on the affected device sensitive or is it
public?
 Is the vulnerability on a critical system that runs a
core business process?
 Another part of prioritizing is making sure that the
difficulty and time for implementing the correction is
reasonable
  Examining Results (continued)
 Another consideration when
examining results is the accuracy
 Be sure to identify false positives,
which is an alarm raised when there
is no problem
Conducting a
A means to identify false positives is
Vulnerability to correlate the vulnerability scan
Scanning (6) data with several internal data points
 Most common are related to log
files
 Log reviews, or an analysis of
log data, can be used to identify
false positives
  Two data management tools are used for
collecting and analyzing vulnerability scan data:
 Security Information and Event
Management (SIEM)
 Security Orchestration, Automation, and
Response (SOAR)
 Security Information and Event Management
Data Management (SIEM)
 A SIEM typically has the following features:
Tools (1)
 Aggregation

 Correlation

 Automated alerting and triggers

 Time synchronization
 Event duplication
 Logs
Data Management
Tool (2)

SIEM Dashboard
  SIEMS can also perform sentiment analysis,
which is the process of computationally identifying
and categorizing opinions to determine the writer’s
attitude toward a particular topic
 Sentiment analysis has been used when
tracking postings threat actors make in
discussion forums with other attackers to better
Data Management determine the behavior and mindset of threat
actors
Tool (2)
 Security Orchestration, Automation, and Response
(SOAR)
 A SOAR is similar to a SIEM in that it is
designed to help security teams manage and
respond to security warnings and alarms
 SOARs combine more comprehensive data
gathering and analytics to automate incident
responses
  Threat hunting is proactively searching for cyber
threats that thus far have gone undetected in a
network
 It begins with a critical premise: threat actors
have already infiltrated our network
 It proceeds to find unusual behavior that may
indicate malicious activity
 Threat hunting investigations often use
Threat Hunting crowdsourced attack data such as:
 Advisories and bulletins
 Cybersecurity threat feeds – data feeds of
information on the latest threats
 Information from a fusion center – a formal
repository of information from enterprises and
the government used to share information on
the latest attacks
  External cybersecurity resources are
available to organizations:
 Frameworks

 Regulations
Cyber Security
 Legislation
Resources
 Standards
 Benchmarks/secure configuration
guides
 Information sources
  A cybersecurity framework is a series of
documented processes used to define policies and
procedures for implementing and managing
security controls in an enterprise environment
 The most common frameworks are from the:
 National Institute of Standards and Technology
(NIST)
Frameworks
 International Organization for Standardization
(ISO)
 American Institute of Certified Public
Accountants (AICPA)
 Center for Internet Security (CIS)
 Cloud Security Alliance (CSA)
Frameworks

NIST FRAMEWORK
 The process of adhering to regulations is
called regulatory compliance

Industry regulations are typically

developed by established professional
Regulations organizations or government agencies
using the expertise of seasoned security
professionals

Broadly applicable
regulations
Industry-specific
Sample of cybersecurity regulations
regulations categories: U.S. state regulations
International
regulations
 Specific legislation can also These include
national,
be enacted by governing territorial, and
bodies state laws

Legislations
Due to a lack of
comprehensive federal
regulations for data breach No two state
notification, many states laws are the
have amended their breach same
notification laws from the
basic definitions
 A standard is a It provides for
framework, rules,
document approved guidance, or
characteristics for
through consensus by products or related
a recognized processes and
production
standardization body methods

Standards
One cybersecurity standard is the
Payment Card Industry Data Security
Standard (PCI DSS
 Benchmark/secur Usually, they are Guides are
Benchmarks & e configuration
guides are usually
platform/vendor-
specific guides
available for:

distributed by that only apply to

Secure hardware specific products
manufacturers and
configuration software Network infrastructure
developers devices
guides They serve as guidelines
for configuring a device
OSs
Web servers
or software so that it is Application servers
resilient to attacks
Information
Sources
There are a variety of A specialized research
information sources source is a Request for
including: comments (RFC)
Vendor websites Which are white papers documents
Conferences that are authored by technology
bodies employing specialists,
Academic journals engineers, and scientists who are
Local industry groups experts in their field
Social media
 References

Some Contents were derived from the following Text.

 CompTIA Security + Guide to Network Security Fundamentals, 7th Edition

 Principles of Information Security , 7th Edition (Michael E. Whitman; Herbert J. Mattord)

 Ukeje, N., Gutierrez, J., & Petrova, K. (2024). Information security and privacy challenges of cloud
computing for government adoption: a systematic review. International Journal of Information
Security, 1-17.
 Ali, A. S., Zaaba, Z. F., & Singh, M. M. (2024). The rise of “security and privacy”: bibliometric analysis of
computer privacy research. International Journal of Information Security, 23(2), 863-885.
 Farayola, O. A., Olorunfemi, O. L., & Shoetan, P. O. (2024). Data privacy and security in IT: a review of
techniques and challenges. Computer Science & IT Research Journal, 5(3), 606-615.