Feel Fully Secure with PT

After interacting with clients on their security needs, realization seeps in that many of them are not aware of the difference between Vulnerability Assessment (VA) & Penetration Testing (PT). Especially, if their organization's security awareness was not mature enough.

While VA does give the basic security recommendations to the customer’s network or web applications, organizations still require high level security for their business continuity, such as PT.

On the surface, the key differences between VA and PT are:

• VA covers security in breadth, while PT covers security in depth.

• VA largely relies on automation and PT relies on manual testing.

• VA does not need a higher level of expertise, while PT should only be conducted by experts.

But that's not why a PT is recommended. Here are the main reasons why VA will not suffice your security needs, but PT will fully secure your business.

When VA looks for the known vulnerabilities and reports on potential exposures, PT has a more human element to it. For instance, tools like Nessus and nmap rely on their updated vulnerability database and security framework to identify vulnerabilities in the technology they are scanning. Whereas for PT, you can use automated tools, but that’s not enough. For example, one of our clients had hard-coded a json web token in the web-page source code. An automated scan using Nessus or Burp suite did not pick this up. But a simple GET request from the terminal showed the JWT pattern, which was easy to decode and resulted in gaining the password token used for API queries. This token was meant for API query authentication. The client's entire business relied on limiting access to paid users and this one token was enough to give full access to their proprietary resources to anyone who understood the basic JWT pattern.

A risk-based approach to remediation

If you have seen a Nessus scan report or a Burp suite web crawl report, then you will know how many potential vulnerabilities a report would include. Do you have the time and manpower to fix them all? Some are repeated, whereas some of them are false positives, some are listed as critical and some as informational. While this report can be a good start for you to help patch things up on your systems. However, it's not enough to help you do it in a cost-efficient manner. Fixing some of those critical vulnerabilities could be of no value-add to your overall security posture but ignoring those informational ones could be. This is where a risk-based approach to remediation comes into action.

Good PT results go through all the VA listings and attempt to exploit them. This includes going through the vulnerabilities tagged as 'informational'. The risk levels are assigned a CVSS score calculated based on their ease of exploitation and their level of risk to the client. The risk-based categorization can help the security developers to pick and choose which ones need remediation first.

Creativity in testing

As mentioned earlier, VA is automated and uses a known vulnerabilities database. There is absolutely no creativity in that type of testing. Chaining multiple weaknesses and exploiting them could give an attacker full access to your system. This is where creativity and the human element play a prominent role. These weaknesses used in the chaining could be listed as low or informational per the VA scan report.

Here's an example

As part of our PT assignments, we use open-source intelligence to assess our targets. One of our clients had shared hiring posts on LinkedIn. The profile listed a requirement for the candidate to have experience with the Wazuh-ELK tech stack. At Netcon, we had experimented with this specific tech stack and knew how it worked on the backend. As per the wazuh-ELK security implementation process, the logins to elasticsearch and kibana has default login credentials and expect the system administrator to change them manually. One of the challenges we faced while experimenting was that config files were sensitive and incorrectly modifying them. It could also throw errors and render that service unusable. It is easier to just let the default credential remain. So, as part of our testing, we were able to access both kibana and query elasticsearch API calls with default credentials. In short, a VA will not give this kind of result.

Considering the rise in cyber-attacks due to the pandemic, cyber-security has become expensive. The side effects being people taking shortcuts to save time and resources. Can your organization afford to do that? If you want to fully secure your systems, a VA will not be enough. You need that human element that PT brings with it.