ABC Security consulting provides security consulting services to a wide range on

Question

ABC Security consulting provides security consulting services to a wide range on businesses, individuals, schools and organizations. Because of its reputation and increasing demand for its services, ABC has partnered with a local school to hire students close to graduation to assist them on specific projects. This not only helps ABC with their projects but also provides real world experience to students who are interested in the security field. Rozenboom Real Estate (RRE) buys and sells high-end residential and commercial real estate across a multistate region. One of the tools that RRE offers is a sophisticated online website that allows potential buyers to take a virtual tour of properties. However, RRE’s site was recently compromised by attackers who defaced the site with malicious messages, causing several customers to threaten to withdraw their listings. RRE’s senior management has demanded a top-to-bottom review of their security by an independent third party. ABC has been hired to perform the review, and they have contracted with you to work on this project.

1. The first task is to perform a vulnerability assessment of RRE. Create a report for the president and his staff about the steps in vulnerability assessment. List in detail the actions under each step and what RRE should expect in the assessment.

2. One of the activities recommended by ABC is to perform a penetration test. However, the IT staff is very resistant to the idea and has tried to convince RRE’s senior management that it is too risky and that a vulnerability scan would serve the same purpose. RRE has asked you for your opinion of performing a penetration test or vulnerability scan. Create a memo that outlines the differences and what your recommendation would be.

Explanation / Answer

(Answer 1 )

Vulnerability Assessment is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

Vulnerability analysis consists of several steps:

If security holes are found as a result of vulnerability analysis, a vulnerability disclosure may be required. The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure. If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.

The third stage of vulnerability analysis (identifying potential threats) is sometimes performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process provides guidelines for the development of countermeasures to prevent a genuine attack.

(Answer 2)

Penetration test

Many professional penetration testers will actually just run a vulnerability scan, package up the report in a nice, pretty bow and call it a day. Nope – this is only a first step in a penetration test. A good penetration tester takes the output of a network scan or a vulnerability assessment and takes it to 11 – they probe an open port and see what can be exploited. For example, let’s say a website is vulnerable to Heartbleed. Many websites still are. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do.

Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided. Penetration tests can be performed using automated tools, such as Metasploit, but veteran testers will write their own exploits from scratch.

Vulnerability Scan

Penetration Test

How often to run

Continuously, especially after new equipment is loaded

Once a year

Reports

Comprehensive baseline of what vulnerabilities exist and changes from the last report

Short and to the point, identifies what data was actually compromised

Metrics

Lists known software vulnerabilities that may be exploited

Discovers unknown and exploitable exposures to normal business processes

Performed by

In house staff, increases expertise and knowledge of normal security profile.

Independent outside service

Expense

Low to moderate: about $1200 / yr + staff time

High: about $10,000 per year outside consultancy

Value

Detective control, used to detect when equipment is compromised.

Preventative control used to reduce exposures

Vulnerability Scan

Penetration Test

How often to run

Continuously, especially after new equipment is loaded

Once a year

Reports

Comprehensive baseline of what vulnerabilities exist and changes from the last report

Short and to the point, identifies what data was actually compromised

Metrics

Lists known software vulnerabilities that may be exploited

Discovers unknown and exploitable exposures to normal business processes

Performed by

In house staff, increases expertise and knowledge of normal security profile.

Independent outside service

Expense

Low to moderate: about $1200 / yr + staff time

High: about $10,000 per year outside consultancy

Value

Detective control, used to detect when equipment is compromised.

Preventative control used to reduce exposures

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

---