Penetration testing is a vital step in figuring out weaknesses in a company’s IT infrastructure. It’s a essential evaluation exercise for organizations to make use of when defending their environments in opposition to cyberattacks. The SEI conducts cybersecurity assessments for organizations and designs and develops functions that facilitate the gathering and automation of the reporting of findings recognized on assessments.
This put up introduces a penetration-testing findings repository that’s now publicly accessible on GitHub. Findings seek advice from the vulnerabilities and weaknesses recognized throughout a penetration-testing evaluation. The repository standardizes the language of findings and minimizes the effort and time for report writing. Furthermore, the standardized finding-name format assists in analyzing aggregated knowledge throughout a number of penetration-testing assessments.
This repository was created in response to the naming inconsistency of findings on penetration-testing assessments and to create a big assortment of standardized weaknesses for assessors to make use of. Assessors would identify findings in another way on assessments. Some assessors would identify a discovering after a cyberattack whereas others would identify it after a course of. The penetration-testing findings repository focuses on naming a discovering after the vulnerability and weaknesses that have been recognized on an evaluation reasonably than cyberattacks or processes. To assist assessors find findings extra shortly throughout an evaluation, the repository makes use of an affinity-grouping approach to categorize weaknesses, which will increase usability by sorting the findings right into a hierarchical three-tier construction. Furthermore, the findings repository consists of assets to assist assessed organizations remediate the findings recognized on a penetration-testing evaluation.
A key step in securing organizational techniques is figuring out and understanding the precise vulnerabilities and weaknesses that exist in a company’s community. As soon as recognized, the vulnerabilities and weaknesses have to be put into context and sure questions have to be answered, as outlined within the weblog put up Easy methods to Get the Most Out of Penetration Testing:
- Which vulnerabilities and weaknesses must you spend finite assets addressing?
- Which vulnerabilities and weaknesses are simply exploitable, and which aren’t?
- Which vulnerabilities and weaknesses put crucial property in danger?
- Which vulnerabilities and weaknesses have to be addressed first?
With out this context, a company may dedicate assets to addressing the incorrect vulnerabilities and weaknesses, leaving itself uncovered elsewhere. The repository supplies a default finding-severity stage to assist an assessed group prioritize which findings to remediate first. An assessor can regulate the default severity stage of the findings relying on the opposite safety controls in place in a company’s surroundings.
Repository Overview
The penetration-testing findings repository is a set of Lively Listing, phishing, mobile-technology, system, service, web-application, and wireless-technology weaknesses that could be found throughout a penetration take a look at. The repository comprises default names, descriptions, suggestions for remediation, references, mappings to varied frameworks, and severity ranges for every discovering. This repository and its construction serve 4 major functions:
- standardization—The repository standardizes the reporting course of by offering outlined findings for an assessor to pick out from throughout an evaluation.
- streamlined reporting—Offering pre-populated attributes (discovering identify, description, remediation, assets, and severity stage) saves vital time through the reporting course of, permitting assessors to give attention to operations.
- comprehensiveness—The repository’s layered construction offers assessors flexibility in how they current their findings because the vulnerability panorama evolves. When doable, assessors choose a particular discovering. If no particular discovering precisely describes what was found, assessors can choose a basic discovering and tailor it accordingly.
- ease of navigation—To make the repository simpler to navigate, it makes use of a tiered classification construction. Findings are grouped by the findings classes, permitting assessors to report on each basic and particular findings when creating reviews.
As talked about above, the findings repository is a hierarchical construction containing the next three tiers:
- Discovering Class Tier—lists the overarching classes: Lively Listing Weak spot, Phishing Weak spot, Cellular Expertise Weak spot, System or Service Weak spot, Internet Utility Weak spot, Wi-fi Expertise Weak spot.
- Basic Discovering Tier—lists 27 high-level findings which are like subcategories of the overarching Discovering Class. Basic Findings can be utilized as a person discovering on an evaluation when there isn’t an acceptable Particular Discovering.
- Particular Discovering Tier—lists 111 low-level findings that pinpoint a definite weak point that may be exploited throughout an evaluation. The precise findings encompass widespread findings regularly recognized throughout assessments.
As proven within the desk beneath, there are six Discovering Classes:
Class |
Description |
---|---|
|
Lively Listing (AD) is configured improperly. Some misconfigurations embody pointless service accounts and permissions, insecure encryption ciphers, weak password insurance policies, and/or insecure consumer or laptop accounts. Attackers have numerous strategies of pursuing AD weaknesses, together with Kerberoasting, Golden Ticket assaults, Cross the Hash, or Cross the Ticket, which may result in a complete takeover of the infrastructure. |
|
A phishing weak point permits an attacker to ship a weaponized electronic mail by way of the community border that executes on the native host when a consumer performs an motion. These emails can comprise a number of luring attachments, Uniform Useful resource Locators (URLs), scripts, and macros. Insufficient protections enable malicious payloads to be executed. |
|
Cellular applied sciences are more and more used to ship companies and knowledge. The quantity of information saved on cell gadgets makes their functions targets for assault. In comparison with conventional computer systems, the performance on cell gadgets is tougher to manage, and cell gadgets assist extra complicated interfaces (e.g., mobile, Wi-Fi, Bluetooth, International Positioning System [GPS]), that expose extra surfaces to assault. Insecure cell know-how has vulnerabilities that attackers can exploit to realize entry to delicate info and assets. |
|
Weaknesses inside a system or service may end up in lacking crucial safety controls that depart the group weak to assaults. These weaknesses can embody weak configuration steerage that insecurely configures techniques and companies all through the group, inadequate or lacking configuration administration that ends in advert hoc or default configurations, and many others. |
|
The safety of internet sites, net functions, and net companies (e.g., utility programming interfaces [APIs]) is known as net utility safety. Internet functions might be attacked by exploiting vulnerabilities on the utility layer, transport layer, and software program provide chain. Internet utility weaknesses are sometimes vulnerabilities, system flaws, or misconfigurations in a web-based utility. Attackers typically exploit these weaknesses to both manipulate supply code or achieve unauthorized entry to info or features. Attackers could possibly discover vulnerabilities even in a reasonably sturdy safety surroundings. |
|
Wi-fi applied sciences enable cell gadgets (e.g., laptops, good telephones, Web of Issues [IoT] gadgets, and printers) to hook up with the enterprise community. Wi-fi networks can introduce potential vulnerabilities to a company by way of weak insurance policies that enable insecure wi-fi know-how (e.g., insecure gadgets, insecure configurations, weak authentication processes, insecure encryption) on the community. |
The repository additionally maps every discovering to the three following frameworks:
Future Work
The plan is to replace the repository as new widespread vulnerabilities and weaknesses are recognized. For the reason that repository is open supply, nevertheless, the cybersecurity neighborhood can entry the repository and add to it.
Along with the Penetration Testing Findings Repository, a repository of widespread dangers that may be recognized throughout high-value asset (HVA) assessments is within the works. The aim of this repository is to standardize the language amongst dangers reported by assessors, in flip minimizing effort and time for report writing on assessments. Just like the penetration-testing repository, this new repository will comprise threat statements, descriptions, and proposals for mitigation of dangers recognized on HVA assessments.
Further Sources
Easy methods to Get the Most Our of Penetration Testing by Michael Prepare dinner
7 Pointers for Being a Trusted Penetration Tester by Karen Miller