Penetration testing is a crucial step in figuring out weaknesses in a company’s IT infrastructure. It’s a essential evaluation exercise for organizations to make use of when defending their environments in opposition to cyberattacks. The SEI conducts cybersecurity assessments for organizations and designs and develops purposes that facilitate the gathering and automation of the reporting of findings recognized on assessments.
This put up introduces a penetration-testing findings repository that’s now publicly out there on GitHub. Findings consult with the vulnerabilities and weaknesses recognized throughout a penetration-testing evaluation. The repository standardizes the language of findings and minimizes the effort and time for report writing. Furthermore, the standardized finding-name format assists in analyzing aggregated information throughout a number of penetration-testing assessments.
This repository was created in response to the naming inconsistency of findings on penetration-testing assessments and to create a big assortment of standardized weaknesses for assessors to make use of. Assessors would title findings otherwise on assessments. Some assessors would title a discovering after a cyberattack whereas others would title it after a course of. The penetration-testing findings repository focuses on naming a discovering after the vulnerability and weaknesses that have been recognized on an evaluation slightly than cyberattacks or processes. To assist assessors find findings extra rapidly throughout an evaluation, the repository makes use of an affinity-grouping method to categorize weaknesses, which will increase usability by sorting the findings right into a hierarchical three-tier construction. Furthermore, the findings repository consists of assets to assist assessed organizations remediate the findings recognized on a penetration-testing evaluation.
A key step in securing organizational programs is figuring out and understanding the particular vulnerabilities and weaknesses that exist in a company’s community. As soon as recognized, the vulnerabilities and weaknesses have to be put into context and sure questions have to be answered, as outlined within the weblog put up The way to Get the Most Out of Penetration Testing:
- Which vulnerabilities and weaknesses must you spend finite assets addressing?
- Which vulnerabilities and weaknesses are simply exploitable, and which aren’t?
- Which vulnerabilities and weaknesses put essential property in danger?
- Which vulnerabilities and weaknesses have to be addressed first?
With out this context, a company may dedicate assets to addressing the mistaken vulnerabilities and weaknesses, leaving itself uncovered elsewhere. The repository supplies a default finding-severity degree to assist an assessed group prioritize which findings to remediate first. An assessor can modify the default severity degree of the findings relying on the opposite safety controls in place in a company’s setting.
Repository Overview
The penetration-testing findings repository is a group of Energetic Listing, phishing, mobile-technology, system, service, web-application, and wireless-technology weaknesses which may be found throughout a penetration check. The repository accommodates default names, descriptions, suggestions for remediation, references, mappings to varied frameworks, and severity ranges for every discovering. This repository and its construction serve 4 main functions:
- standardization—The repository standardizes the reporting course of by offering outlined findings for an assessor to pick out from throughout an evaluation.
- streamlined reporting—Offering pre-populated attributes (discovering title, description, remediation, assets, and severity degree) saves vital time in the course of the reporting course of, permitting assessors to concentrate on operations.
- comprehensiveness—The repository’s layered construction offers assessors flexibility in how they current their findings because the vulnerability panorama evolves. When attainable, assessors choose a particular discovering. If no particular discovering precisely describes what was found, assessors can choose a basic discovering and tailor it accordingly.
- ease of navigation—To make the repository simpler to navigate, it makes use of a tiered classification construction. Findings are grouped by the findings classes, permitting assessors to report on each basic and particular findings when creating reviews.
As talked about above, the findings repository is a hierarchical construction containing the next three tiers:
- Discovering Class Tier—lists the overarching classes: Energetic Listing Weak point, Phishing Weak point, Cellular Expertise Weak point, System or Service Weak point, Internet Software Weak point, Wi-fi Expertise Weak point.
- Basic Discovering Tier—lists 27 high-level findings which are like subcategories of the overarching Discovering Class. Basic Findings can be utilized as a person discovering on an evaluation when there isn’t an appropriate Particular Discovering.
- Particular Discovering Tier—lists 111 low-level findings that pinpoint a definite weak point that may be exploited throughout an evaluation. The particular findings encompass widespread findings continuously recognized throughout assessments.
As proven within the desk beneath, there are six Discovering Classes:
|
Class |
Description |
|---|---|
|
|
Energetic Listing (AD) is configured improperly. Some misconfigurations embody pointless service accounts and permissions, insecure encryption ciphers, weak password insurance policies, and/or insecure person or pc accounts. Attackers have numerous strategies of pursuing AD weaknesses, together with Kerberoasting, Golden Ticket assaults, Go the Hash, or Go the Ticket, which might result in a complete takeover of the infrastructure. |
|
|
A phishing weak point permits an attacker to ship a weaponized e mail by means of the community border that executes on the native host when a person performs an motion. These emails can comprise a number of luring attachments, Uniform Useful resource Locators (URLs), scripts, and macros. Insufficient protections permit malicious payloads to be executed. |
|
|
Cellular applied sciences are more and more used to ship companies and information. The quantity of information saved on cellular gadgets makes their purposes targets for assault. In comparison with conventional computer systems, the performance on cellular gadgets is tougher to control, and cellular gadgets help extra complicated interfaces (e.g., mobile, Wi-Fi, Bluetooth, International Positioning System [GPS]), that expose extra surfaces to assault. Insecure cellular know-how has vulnerabilities that attackers can exploit to realize entry to delicate info and assets. |
|
|
Weaknesses inside a system or service can lead to lacking essential safety controls that go away the group weak to assaults. These weaknesses can embody weak configuration steering that insecurely configures programs and companies all through the group, inadequate or lacking configuration administration that ends in advert hoc or default configurations, and so forth. |
|
|
The safety of internet sites, net purposes, and net companies (e.g., utility programming interfaces [APIs]) is known as net utility safety. Internet purposes could be attacked by exploiting vulnerabilities on the utility layer, transport layer, and software program provide chain. Internet utility weaknesses are usually vulnerabilities, system flaws, or misconfigurations in a web-based utility. Attackers typically exploit these weaknesses to both manipulate supply code or acquire unauthorized entry to info or capabilities. Attackers might be able to discover vulnerabilities even in a reasonably strong safety setting. |
|
|
Wi-fi applied sciences permit cellular gadgets (e.g., laptops, good telephones, Web of Issues [IoT] gadgets, and printers) to hook up with the enterprise community. Wi-fi networks can introduce potential vulnerabilities to a company by means of weak insurance policies that permit insecure wi-fi know-how (e.g., insecure gadgets, insecure configurations, weak authentication processes, insecure encryption) on the community. |
The repository additionally maps every discovering to the three following frameworks:
Future Work
The plan is to replace the repository as new widespread vulnerabilities and weaknesses are recognized. For the reason that repository is open supply, nevertheless, the cybersecurity group can entry the repository and add to it.
Along with the Penetration Testing Findings Repository, a repository of widespread dangers that may be recognized throughout high-value asset (HVA) assessments is within the works. The aim of this repository is to standardize the language amongst dangers reported by assessors, in flip minimizing effort and time for report writing on assessments. Just like the penetration-testing repository, this new repository will comprise danger statements, descriptions, and proposals for mitigation of dangers recognized on HVA assessments.
Further Sources
The way to Get the Most Our of Penetration Testing by Michael Prepare dinner
7 Tips for Being a Trusted Penetration Tester by Karen Miller
