Contact Us
Vulnerability Assessments Versus Penetration Tests
by Steven Drew, EVP of Client Services, SecureWorks
As security professionals, most of you are familiar with vulnerability assessments and penetration tests (pen tests for short). Both are valuable tools that can benefit any security program and they are both integral components of a Threat and Vulnerability Management process. However, the two are unfortunately often used interchangeably due to marketing hype and other influences, which has lead to confusion and wasted resources for many enterprises. With that in mind, I'd like to try to clear the air between vulnerability assessments and pen tests and hopefully eliminate some of that confusion between the two.
Defined, a vulnerability assessment is the process of identifying and quantifying vulnerabilities in an environment. It is an in-depth evaluation of your posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk. To do this, most vulnerability assessments follow these general steps:
- Cataloging assets and resources in a system
- Assigning quantifiable value and importance to the resources
- Identifying the vulnerabilities or potential threats to each resource
- And mitigating or eliminating the most serious vulnerabilities for the most valuable resources
On the other hand, a pen test simulates the actions of an external and/or internal attacker that aims to breach the security of the organization. Using many tools and techniques, the penetration tester attempts to exploit critical systems and gain access to sensitive data. Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: "white box", which uses vulnerability assessment and other pre-disclosed information, and "black box", which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance. Typically, pen tests follow these steps:
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
So which of these two will deliver the most value to your organization? Well, the answer to that question should be determined by your current security posture. Unless both leadership and technical personnel are very confident in their security posture and already have a vulnerability assessment process in place, most organizations will be much better served by having a third-party conduct a vulnerability assessment. This is because of the fundamental difference in approach between a vulnerability assessment and penetration test. A vulnerability assessment answers the question: "What are our weaknesses and how do we fix them?" A penetration test simply answers the questions: "Can someone break-in and what can they attain?" A vulnerability assessment works to improve security posture and develop a more mature, integrated security program, whereas a pen test is only a snapshot of your security program's effectiveness. Because of its approach, a vulnerability assessment is going yield much more value for most enterprises than a pen test.
In conclusion, most organizations should start with a vulnerability assessment, act on its results to the best of their abilities and then opt for a "white box" pen test if they are confident in their improved security posture. Once an organization has gone through these successfully, they should then consider having a "black box" penetration test performed by a different third-party vendor for due diligence. If you've completed these, chances are that your organization's security posture has improved dramatically. But as with all things security, it doesn't end there. As processes within a Threat and Vulnerability Management program, both vulnerability assessments and pen tests need to be performed periodically to ensure continuous security posture improvement.
Internet Threat Update
Provided by SecureWorks' Security Research Team
New Mac OS X Malware-Writing Trend Seen
SecureWorks security research team is monitoring an increasing interest in writing malware for Mac OS X systems. Last month we saw OSX/Leap-A, the first virus seen in the wild which infects Mac OS X systems. It was followed shortly after by OSX/Inqtana, a proof-of-concept worm which spreads via bluetooth on Mac OS X.
Leap is sent inside a .tgz archive file, posing as screenshots of the latest Mac OS X release. The executable inside the archive has a JPEG icon, in an attempt to fool unsuspecting users into double-clicking on the file. When executed, the virus infects recently used applications and attempts to spread to other Mac OS X users via iChat. It was first posted to a Mac enthusiasts' web forum, where it was quickly identified as malware.
There is little threat from the current incarnation of Leap. The executable has bugs which prevent it from working as intended. On top of that, in most cases the infection process requires a user to provide the administrator password, something that should not need to be done in order to view an image. However, now that the technique for infection and spreading has been made public, interest in writing and spreading Mac OS X viruses will likely increase in the near future.
Inqtana uses a directory traversal vulnerability in the Mac OS X bluetooth implementation to drop a copy of itself into the /Users folder, where it is able to write itself into the startup processes for execution on the next reboot. However, Inqtana requires that a user accept an unknown file transfer via bluetooth, limiting its potential to spread rapidly. Once again, the threat is low, but the trend toward devising auto-start techniques for Mac OS X makes it possible to more easily write more devastating Mac OS X viruses and worms in the future.
Anti-virus scanners have been available for Mac OS X from several major vendors for some time, however they have not been widely deployed to date. This is not because OS X is inherently more secure, but is simply due to the overall lack of malware for the platform thus far. Mac OS X is subject to the same classic malware spreading vectors as Microsoft Windows, including browser exploits and social-engineering via email and instant messaging. This new development should suggest that any malware defense strategy you are deploying for Windows-based systems should also be extended to cover Mac OS X.
SOC War Story: Not-So-Trusted Partners
Business Problem
In today's highly competitive business world, the need to work closely with trusted partners is vital. The drive to lower costs and increase margins has forced companies to tightly integrate with suppliers, contractors and other channel members to the point where there is no "wasted motion" in getting products to market. Though beneficial for business, these partnerships introduce many security risks that must be well-managed to avoid potentially devastating breaches and incidents. Without an effective strategy for minimizing these risks, enterprises can find themselves dealing with incidents that could have been easily avoided had they taken the appropriate measures.
On the very first day of monitoring the security devices of a new customer, SecureWorks' analysts caught a number of users running P2P software after investigating alerts generated by the client's IDS devices. Our analysts determined that these users were running a variety of P2P programs, including a couple that are known to install spyware and adware. These P2P applications presented a very serious risk to our customer, allowing Trojans, worms and other malware to bypass perimeter security measures and penetrate the network.
Solution
SecureWorks' team of SANS GIAC Certified Security Analysts immediately contacted the appropriate customer security personnel and explained the situation. Together, they determined that some of the users belonged to an onsite partner under contract with our customer and who was using network resources without any restrictions. Soon thereafter, they tracked the users down, educated them on the hazards of using P2P software and removed the programs from his workstation.
As a result of the above wake-up call, our experienced security consultants began working with our customer to promptly re-evaluate their relationships with each of their trusted partners and to develop security strategies that would minimize the risk each partner presents. Working with management, we helped our customer to amend their policies and implement procedures that effectively limit partner privileges and restrict those rights that are not needed for their responsibilities. Now, our customer has a strategic system in place that maintains security without hindering their business.
