NETWORK AND SYSTEM SECURITY ASSESSMENT USING PENETRATON TESTING ON VIRTUAL MACHINESCHAPTER TWOLITERATURE REVIEW2.1 IntroductionThis chapter discussed more on penetration testing by introducing information relevant to the studies. The literature review gives foundation for the study by presenting important concepts regarding Information Security, security controls, penetration testing, followed by its types, methodology tools and threat actors.2.2 Conceptual Framework2.2.1 Security Controlsa. Proactive Security ControlsA proactive security approach prevents major incidents before they happen. Preventative measures taken by a company anticipate potential situations and save the firm from experiencing devastating events that can lead to crippling losses from theft, fire or natural disaster.
In addition, the physical manifestations of a proactive security system such as signs, cameras and passwords act as visible deterrents to thieves, vandals and hackers (Gerald Hanks, 2019).Proactive security measures can range from a simple padlock to a sophisticated security system. They can be physical barriers, such as heavy doors or fireproof file cabinets, or electronic countermeasures, such as pressure sensors, surveillance cameras and keycard readers.
Proactive security systems can be unmanned or can involve a full staff of security professionals. Many companies employ proactive security procedures on both their physical assets and their sensitive data, such as intellectual property and customer records (Gerald Hanks, 2019).b. Passive Security ControlsThe reactive security approach calls for companies to respond to past and present threats, rather than anticipate future dangers. When the company falls victim to a threat, the owners determine the level of the threat, assess the amount of the damage and install measures to prevent such an event from reoccurring. Since no business can anticipate every possible threat and many do not have the resources to install proactive measures to counter unanticipated threats, many companies employ a reactive security approach (Gerald Hanks, 2019).Security companies, such as those that offer 24-hour monitoring, function more as reactive agents than as proactive measures. These companies provide personnel to patrol a facility, monitor computer activity and watch live feeds from security cameras. In the event that a security incident occurs, they step in and attempt to stop the perpetrators or contact local law enforcement agencies. The visibility of security guards serves a proactive function, but often they act in a reactive capacity (Gerald Hanks, 2019).2.2.3 Penetration TestingPenetration testing is a well-known method for actively evaluating and assessing the security of a network or an information system by simulating an attack from an attacker’s perspective. Penetration tests are a manipulated attack simulation that assists determine vulnerability to software, system, and operating-system breaches. Penetration testing enables you to actively determine vulnerabilities, verify present controls and develop recommendations. Penetration testing simulates real attacks and verifies functionality of protection mechanisms under the working condition. Attacks can be led hidden or disclosed, within infrastructure or from the external environment of the information system, is focused on the particular object or all available systems as well as services from the existing environment, under predetermined conditions. The penetration tests are procedures of attempt to examining your data security methods. Penetration testing is a preventative measure which consists of a chain of legitimate tools that identify and exploit a company’s security weaknesses. It uses the similar or same techniques of malicious hackers to attack key vulnerabilities in an organization’s security system, which then can be mitigated and closed. In other words, penetration testing can be described as not tapping the door, but breaking through the door. These tests reveal how easy an organization’s security controls can be penetrated, and to obtain access to its confidential and sensitive information asset by hackers. Network penetration testing identifies the exploits and vulnerabilities those exist within computer network infrastructure and help to confirm the security measures. Penetration testing can reveal to what extent the security of information technology systems is threatened by attacks by hackers, crackers, etc., and whether the security measures in place are currently capable of ensuring IT security. Penetration testing determines the difficulty for someone to penetrate an organization’s security controls against unauthorized access to its information and information systems. It is done by simulating an unauthorized user attacking the system using either automated tools or manual method or a combination of both. Penetration testing helps safeguard the organization against failure through preventing financial loss; proving due diligence and compliance to industry regulators, customers and shareholders; preserving corporate image; and rationalize information security investment. Penetration testing, as a proactive service, provides unassailable information that helps the organization to meet the auditing or compliance aspects of regulations. Penetration testing creates heightened awareness of security’s importance at all levels of the organization. This helps the organization avoid security incidents that threaten its corporate image, put its reputation at risk and impact customer loyalty.Penetration testing helps shape information security strategy through quick and accurate identification of vulnerabilities; proactive elimination of identified risks; implementation of corrective measures; and enhancement of information technology knowledge.Penetration testing provides detailed information on actual, exploitable security threats if it isencompassed into an organization’s security doctrine and processes. This will help theorganization to identify quickly and accurately real and potential vulnerabilities By providing the information required to effectively and efficiently isolate and prioritize vulnerabilities, penetration testing can assist the organization fine-tune and test configuration changes or patches to proactively eliminate identified risks. Penetration testing can also help an organization quantify the impacts and likelihood of the vulnerabilities. This will allow the organization to prioritize and implement corrective measuresfor reported known vulnerabilities. A penetration tester must necessarily follow certain methodology so as to successfully identify the threats faced by an organization’s network or information assets from a hacker and reduce an organization’s IT security costs by providing a better return on security investments. The process of carrying out a penetration test entails a lot of time, effort and knowledge to dealwith the complexities of the test space. Penetration testing will therefore enhance the knowledgeand skill level of anyone involved in the process.2.2.3.1 Types of Penetration TestingBased on information available to the pentester, pentesting is divided into:a. Black Boxb. White Box c. Grey BoxBased on the location of the pentester, pentesting is divided into:d. Internale. Externala. Black Box Pentesting: This test is carried out with zero knowledge about the target network. The tester is required to acquire knowledge using penetration testing tools or social engineering techniques to figure out the loopholes of the system on their own from scratch. This is similar to the blind test strategy, which simulates the actions and procedures of a real attacker who has no information concerning the test target. The publicly available information over internet may be used by the penetration tester. b. White Box Pentesting: This test is called complete knowledge testing. Testers are given full information and all the necessary information about the target network. This strategy is referred as targeted testing where the testing team and the organization work together to do the test, with all the information provided to the tester prior to test. The information can be the host IP addresses, domains owned by the company, applications and their versions, network diagrams, security defenses like IPS or IDS in the network.c. Gray Box Pentesting: The tester simulates an inside employee. The tester is given partial disclosure of information about the test target, an account on the internal network and standard access to the network. This test assesses internal threats from employees within the company by gathering further information before conducting the test.Gray box testing is when both types of penetration testing (white and black testing) are used together.Based on location, there are two types of penetration testing: external versus internal a. External Penetration Test ” This test shows what a hacker can see into the network and exploits the vulnerabilities seen over the internet. Here the threat is from an external network from internet. This test is performed over the internet, bypassing the firewall. The objective of external testing is to find out if an outside attacker can get in and how far he can get in once he has gained access. External testing attempts to simulate what an external hacker could potentially harm from outside the system. The red team would conduct intrusion attacks on the organization’s network system through the use of the Internet or Extranet. The red team generally targets the organization’s servers or devices, such as email server, Domain Name Server, web server or firewalls. b. Internal Penetration Test: This test shows risks from within the network. For example, what threat an internal disgruntled or ignorant employee can pose to the network. This test is performed by connecting to the internal LAN.Internal testing is performed within the organization’s system and simulates what an authorized user or employee could potentially act. Internal testing may be more comprehensive because an authorized user can either use the internal or external system to hack into an organization’s information system.Internal testing is performed from within the organization that owns the test target. The strategyis useful for estimating how much damage a disgruntled/ ignorant employee could cause. Internal testing is centered on understanding what could happen if the test target was successfully penetrated by an authorized user with standard access privileges.It appears that an internal testing may be more comprehensive because an authorized usercan either use the internal or external system to hack into an organization’s information system.2.2.3.2 Penetration Testing MethodologyPenetration testing is done using so many ad hoc methods and tools, not according to a formalized standard or procedure. There is no standard approach for penetration testing since network/system situation of each organization is different from each other. Security professional have introduced different methodologies to conduct penetration test ranging from simple ones to more sophisticated and formal processes.Penetration testing has three (3) basic phases mimicking the steps that oath to be used by a real hacker to carry out the attack, which are pre attack, attack and post attack. Pre attack phase attempts ton explore or investigate the target network/system. Attack phase involves actual compromise of the target network/system. Post attack phase which is unique to the penetration testing team attempts to return any modified networks(s)/system(s) to later stage before the test begin. A simple penetration testing methodology consists of three (3) following steps: Information gathering or Reconnaissance or Recon, Enumeration or Scanning and Exploitation.a. Reconnaissance or Information Gathering: This is a very important step a penetration tester must follow. It is the process of searching for available information used in penetration test. After the pre planning and the goal definition, the pen tester must gather as much information as possible about the target network/system. Important to note, this is the case when it is a black box testing and when the organization has not provided any information to the penetration tester. A penetration tester must gather information from an attacker’s perspective. Anything that is useful to attackers is necessary to be collected: network diagrams, IP addresses, domain names, device type, applications and their versions, security defenses such as IDS, IPS. To gather this information we look into: IP registries, DNS registrars, the organizations website, Google and social or professional networking websites, Monster.com.b. Enumeration : Information is acquired directly from targets system/network with the help of tools and techniques in order to build a picture of organization environment, network/system enumerates creates a picture of the configuration of the network/system being tested, while host enumeration identifies services available on various devices like routers, firewall, server and reveals their function together with opening ports that can be used to infiltrate the network/system, through which potential vulnerabilities are also identified and listedc. Exploitation: In the exploitation stage, with the information obtained from previous stage, it uses different automated tools, techniques and fine turned manual steps execute in a specific way to compromise the system/network through identified vulnerabilities or other channels that were found open in order to acquire administrative access to the system/network. Sometimes reported vulnerabilities have to be tested manually and confirmed since the vulnerabilities reported by the scanners may be false positives at times. There are various tools for testing the vulnerabilities associated with each port. This leads to an extensive penetration testing. 2.2.3.3 Penetration Testing ToolsMany penetrating testing tools are used by testers in organization to test the network or system for security purpose ranging from free and open source software’s to commercial. Penetrating testing are used to take care of labor intensive tasks giving the tester more time to focus on more sophisticated tasks. These tools can be classified under following: a. Service and Network Mapping Tools (Network Mapper: Nmap)Nmap allows for a variety of different types of port and network scans, OS detection, find web server to be used in order to determine whether a port is open or closed. Nmap can be used to scan for what hosts are available on the network, what services the hosts are offering, what operating systems are running, what packet filters/firewalls are in use, with dozens of other characteristics. Nmap is a free, open source powerful application for most security professional. Nmap is most popular and favorite tool of Penetration testers. Nmap is available for both Linux and Windows.b. Scanning and Vulnerability Assessment Tools (Nessus)Nessus premier UNIX vulnerability assessment tool. Nessus is a fast and modular vulnerability scanner released by Renaud Deraison. The freeware client/server tool audits a network remotely to enumerate and test/discover the known vulnerabilities against a database that is updated daily by the Internet security community in the form of plug-ins, but and does not exploit vulnerabilities. Nessus used to detect vulnerabilities that allow remote cracker to control or access sensitive data, detect misconfiguration, default password, and denial of service. The Nessus server performs the actual scanning activity. Nessus allow user to be able to select which types of scans the application is allowed to run.