VAPT:A suitable assessment for data security
VAPT meaning Vulnerability Assessment and Penetration Testing. In today’s corporate world, there is no doubt that security is now one of the main issues being addressed. Every day, we hear about cyber-attacks into computer systems and servers, stealing everything from passwords to financial information and data. No matter how strong we build the security team to combat the security breaches, the attacker is always one step ahead. So, in order to secure its environment from hackers one should know its own security weakness and vulnerabilities. Organization can know its information security IS weakness and vulnerabilities by doing Vulnerability Assessment and Penetration Testing (VAPT) audit.
The word Vulnerability Assessment and Penetration Testing (VAPT) audit are two different types of vulnerability testing methodologies in information security IS. Therefore, These testing methodologies have different strengths which are combined to achieve a complete vulnerability analysis. Vulnerability assessment is the process of identifying and measuring security vulnerability in an environment which finds out the weaknesses and reduce the risk associated with them. Vulnerability assessment cannot differentiate between exploitable and non-exploitable vulnerabilities. Whereas, Penetration Testing relies upon Vulnerability Assessment.
Types of Penetration Testing
Penetration Testing attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible. So, Penetration testing helps find exploitable weakness and measure the severity of each. A Penetration testing includes network penetration testing and application security testing as well as controls and processes around the networks and applications which should occur from both inside (internal testing) and outside (external testing) of the network. A penetration testing shows how damaging a flaw could be in a real attack rather than find every flaw in a system.
There are three types of Penetration Testing:
- Black Box Testing;
- White Box Testing;
- Grey Box Testing.
Black Box Testing:
In a real scenario, cyber-attacks happen when the hacker does all types of attacks and brute force against the IT infrastructure environment of an organization, in hopes of trying to find vulnerabilities or weakness in the system as the hacker does not know the ins and outs of an IT infrastructure environment. In other words, this type of pen testing is called dynamic analysis security testing (DAST) where the tester has no relevant information about the target machine or the system, except the basic information of an organization for general understanding. Black box testing identifies the vulnerabilities, including input and output validation problems, server configuration errors and application specific problems testing from an external network with no prior knowledge of the internal networks and systems.
White Box Testing:
White box testing, also known as static analysis security testing (SAST), is a critical tool for finding and fixing security vulnerabilities and flaws in applications. As the black box testing seeks to find vulnerabilities from outside the application the way a hacker would, white box testing analyzes the source code or the compiled binaries to catch semantic coding errors and flaws in the application or its infrastructure. Similarly, In this type of pen testing the pen-tester gets some information about the implemented security structure of an organization’s network architecture and the systems. It is also known as internal testing.
Gray Box Testing:
Grey Box Testing is a combination of black box and white box testing method where it has a partial knowledge of internal working structure. It is based on UML diagrams, architectural view, database diagrams and functional specification. Moreover, Grey box testing is best fit for web based application specific errors as it is a best approach for functional or domain testing. Also, Testing can be done from internal or external network, with knowledge of internal networks and systems.
VAPT Audit and information security IS Methodology
A complete process of Vulnerability Assessment and Penetration Testing (VAPT) is compose of many sub processes. The VAPT testers uses many open source and licensed tools in each of these sub-processes to analyze the security arrangements of the entire infrastructure and system.
Phases of VAPT for information security
A complete process of VAPT is conduct in following three phases:
Phase 1: Test Preparation Phase
In this phase the organization needs to decide the Scope of Work, Objectives, Time and Duration of the VAPT. All the documents related to the scope of work are organized and finalized. Therefore, Issues like confidentiality, information leakage and downtime is resolve and put into legal agreement document. Some of the documents required to conduct Vulnerability Assessment and Penetration Testing as follows:
- Memorandum of Understanding.
- Non-Disclosure Agreement.
- Confidentiality Agreement.
Phase 2: Testing Phase
In this phase the actual testing is done. The operations divided into two parts, vulnerability assessment and the other penetration testing. Whereas,In Vulnerability Assessment the pen tester aims to find and analyze the existing set of vulnerabilities in the target system.
As this process is compose of many sub-processes which are:
The pen tester collects the information of the target system which would help to generate an image of the target’s security infrastructure environment.
After discovering the target the pen tester performs a scan on target system to identify the list of existing vulnerabilities, which intend to impose a threat to the security of the target system.
In this phase it inherits the output of the scanning phase and analyzes the set of vulnerabilities identified after scanning. However, The pen tester prioritizes the identified vulnerabilities based on their severity and impact which can be critical, high, medium or low. The vulnerabilities later address and resolve in the same order.
After the successful accomplishment of initial phases, the pen tester documents the various operations performed and results obtained in the entire process.
In Penetration Testing the pen tester exploits the identified set of vulnerabilities. By exploiting the vulnerabilities it checks the difficulty level of exploiting the vulnerabilities. This process also provides a Proof-of-Concept to support the test finding during later stage.
Phase 3:Pre Attack Phase
The pen tester conducts Reconnaissance. This strategy propagates into two parts: passive and active reconnaissance. In passive reconnaissance the pen tester passively gathers all the set of possible information details without touching the target network. Once it’s done, the pen tester enters into active reconnaissance. Similarly, in active reconnaissance various exploits perform over the target to gather responses. And, detect any vulnerabilities or loopholes in the target system.
Phase 4:Attack Phase
The pen tester tries to compromise the target system in real, by using different tools and techniques to exploit the logical and physical vulnerabilities exposed during the pre-attack phase. Also, Some of the techniques which perform in attack phase are perimeter penetration, target acquisition and privilege escalation.
Phase 5:Post Attack Phase
The pen tester aims at returning the modified system to the pretest state. The pen tester performs the reversal of each change made to the system to restore to its pre attack state. The activities performed during post attack phase includes removal of any files, tools, exploits, or other test created objects uploaded to the system during testing.
Phase 6:Reporting Phase
In this phase a thorough investigation and validation of all the findings. Similarly, the final report is hand over to the concern authorities along with the mitigation plan. Which holds recommendations for remediation of the identified vulnerabilities and exploits.
Tools to conduct VAPT that have been used by the professional these days are:
- John the Ripper
Comparison of Vulnerability Assessment with Penetration Testing
Vulnerability Assessment: Automatically identify weakness via a software rather than manually.
Penetration Testing: Penetration Testing is a form of stress testing which exposes weakness.
Run easily and quickly, freeware or inexpensive tools available.
Penetration Testing: Imitate actual attacker process to extend possibilities. Expensive, need special experts.
Vulnerability Assessment: It will stop just before compromising a system.
Penetration Testing: It will go as far as it can within the scope of work.
Vulnerability Assessment: Searches and checks the underlying
design to detect holes.
Penetration Testing: Intends to exploit the vulnerability to probe the damage that could result from the VA.
Vulnerability Assessment: Done by Commercial tools. Every 1 to 3 months.
Penetration Testing: Done by Public Process Annually.
Vulnerability Assessment: Goals and Objective, scope, information gathering, vulnerabilities detection, information analysis and planning.
Penetration Testing: Scope test plan, identify potential vulnerabilities, attempt vulnerabilities exploitation, and document findings, report and remediation.
In today’s Technological Era, where anything and everything remains connected and partially exposed. Cyber-attacks are rapidly evolving and creating massive threat to Industry and Government across the globe. In addition, these attackers have caused losses worldwide amounting to a lot of money. Though protection systems is develop, but still the hackers are finding new techniques to bypass them. Also these emerging threats are complex and done in a cautious manner.
So, there is a need to carry out continuous research efforts and development solutions to protect from evolving cyberattacks. Thus, Vulnerability Assessment and Penetration Testing (VAPT) audit in information security IS is efficient, cost effective and assure assessment tool. Which periodically analyzes the status of current security arrangements and helps organization to install the required security patches in order to be remain protected from inside and outside threats. VAPT being proactive in nature, it enables an organization to know about the possible set of threats and attacks even before their actual occurrence. Therefore, organizations should safeguard their data and systems much before the attack.