Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Penetration Test According to NIST Special Publication 800-53 (Rev. 4) CA 1, Penetration testing is defined as a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. In other words, penetration testing is an authorized simulated attack against a system designed to identify and measure risks associated with the exploitation of a target’s attack surface. This may sound like a red team engagement. The differences are often misunderstood but critical to the success of both. Penetration testing takes a vulnerability assessment to the next level by introducing exploitation into the test. The goal of a penetration testis to determine the risk associated with vulnerabilities and flaws. A penetration test can look and feel very similar to a Red Team engagement, and in many cases, use the same tools. These similarities should not cause anyone to confuse the two. Penetration tests focus on exploiting weaknesses to determine business risk. It is common fora penetration test to explore a wide range of vulnerabilities to discover their risks. During a Red Team engagement, flaws will be exploited but only to the degree needed to achieve the goals or objectives. If a single vulnerability allows a Red Team to move forward, the team only uses this to move forward. The other twenty flaws found (by the Red Team or a previous vulnerability assessment) will be documented but may remain un-actioned during the Red Team engagement. Penetration testing, although more narrowly focused than a vulnerability assessment, has a much broader focus than a Red Team engagement. Like a vulnerability assessment, mitigation performed after a penetration test reduces the attack surface. This mitigation is an effective way to make it more difficult for attackers but does not minimize operational risk to zero. Attack surface reduction efforts are good at limiting a threat's ability to operate but do not measure a threat's ability to impact an organization. Penetration tests should be considered an effort in attack path validation with a goal to reduce the attack surface. Penetration tests are often driven to support audit requirements, such as those for PCI/DSS [9] or HIPAA [10] . Red Teaming is typically not driven by compliance but by the desire to fully test an organization's ability to defend, respond, and react to a threat. Risk to business operations is arguably the most critical consideration in measuring overall security risk. Security assessments that map findings and observations to operational risk can gain the support needed to make a significant improvement. Let's compare these types of assessments in terms of operational risk. An inverted triangle can illustrate the relationship of Red Teaming, Penetration Testing, and Vulnerability Assessments in terms of organizational or operational risk. The depth and breadth of each security assessment type, as can be seen, is quite different. Vulnerability assessments tend to be broad in coverage but narrow in scope. Consider a vulnerability assessment of where the goal is to measure all workstations in an enterprise. The scope is very broad but not very deep in the context of organizational risks. What can be said about the risk to operations when flaws are identified Organizational risk can only be understood at the workstation level The overall risk to an organization can be extrapolated to some degree but generally stays at that workstation level. Vulnerability assessments are good at reducing attack surface but do not provide much detail in terms of organizational risk. This common misunderstanding leads to vulnerability assessment being used to mismeasure security risk. Penetrations tests take vulnerability assessments to the next level by exploiting and proving out attack paths. Although penetration tests may often look and feel like a red team engagement at the technical level, the critical difference lies in the goals and intent. The purpose of a penetration testis to execute an attack against a target system to identify and measure risks associated with the exploitation of a target's attack surface. Consider a penetration test against the external boundary of a network. A penetration tester exploits an identified flaw that allows inbound access to the target organization. From a penetration testing standpoint, this was the identification of a deficiency. What does this mean to the organization What is the risk If this flaw is mitigated, how does this impact organizational risk The organizational risks can be indirectly measured as a flaw that allows a threat to gain remote access, but more severe risks to operations must be extrapolated from this attack. Mitigation will help address technical deficiencies and reduce the attack surface. What about the people and processes or detection and response actions Will this type of attack be detected in the future, or is the organization playing a "whack-a-mole" game with individual vulnerabilities Plugging holes is good and does reduce the attack surface, but this is where red teaming enters. Red Teaming focuses on security operations as a whole and includes people, processes, and technology. Red teaming focuses explicitly on goals related to training blue teams or measuring how security operations can impact a threat's ability to operate. Technical flaws are secondary to understanding how the threat was able to impact an organization's operations or how security operations were able to impact a threat's ability to operate. Download 4.62 Mb. Share with your friends:
|