A Repository of Typical Penetration-Testing Weak Points

Penetration screening is an essential action in recognizing weak points in a company’s IT facilities. It is a vital evaluation activity for companies to utilize when protecting their environments versus cyberattacks. The SEI performs cybersecurity evaluations for companies and styles and establishes applications that assist in the collection and automation of the reporting of findings recognized on evaluations.

This post presents a penetration-testing findings repository that is now openly offered on GitHub Findings describe the vulnerabilities and weak points recognized throughout a penetration-testing evaluation. The repository standardizes the language of findings and lessens the time and effort for report writing. Furthermore, the standardized finding-name format helps in evaluating aggregated information throughout several penetration-testing evaluations.

This repository was produced in reaction to the calling disparity of findings on penetration-testing evaluations and to develop a big collection of standardized weak points for assessors to utilize. Assessors would call findings in a different way on evaluations. Some assessors would call a finding after a cyberattack while others would call it after a procedure. The penetration-testing findings repository concentrates on calling a finding after the vulnerability and weak points that were recognized on an evaluation instead of cyberattacks or procedures. To assist assessors find findings quicker throughout an evaluation, the repository utilizes an affinity-grouping strategy to classify weak points, which increases use by arranging the findings into a hierarchical three-tier structure. Furthermore, the findings repository consists of resources to assist examined companies remediate the findings recognized on a penetration-testing evaluation.

A crucial action in protecting organizational systems is recognizing and comprehending the particular vulnerabilities and weak points that exist in a company’s network. When recognized, the vulnerabilities and weak points must be taken into context and specific concerns must be addressed, as laid out in the post How to Get one of the most Out of Penetration Screening:

Which vulnerabilities and weak points should you invest limited resources dealing with?
Which vulnerabilities and weak points are quickly exploitable, and which aren’t?
Which vulnerabilities and weak points put crucial properties at threat?
Which vulnerabilities and weak points must be resolved initially?

Without this context, a company may devote resources to dealing with the incorrect vulnerabilities and weak points, leaving itself exposed in other places. The repository supplies a default finding-severity level to assist an evaluated company prioritize which findings to remediate initially. An assessor can change the default seriousness level of the findings depending upon the other security controls in location in a company’s environment.

Repository Introduction

The penetration-testing findings repository is a collection of Active Directory Site, phishing, mobile-technology, system, service, web-application, and wireless-technology weak points that might be found throughout a penetration test. The repository includes default names, descriptions, suggestions for removal, recommendations, mappings to numerous structures, and seriousness levels for each finding. This repository and its structure serve 4 main functions:

standardization— The repository standardizes the reporting procedure by supplying specified findings for an assessor to pick from throughout an evaluation.
structured reporting— Supplying pre-populated qualities (finding name, description, removal, resources, and seriousness level) conserves considerable time throughout the reporting procedure, enabling assessors to concentrate on operations.
comprehensiveness— The repository’s layered structure offers assessors versatility in how they provide their findings as the vulnerability landscape develops. When possible, assessors pick a particular finding. If no particular finding precisely explains what was found, assessors can pick a basic finding and customize it appropriately.
ease of navigation— To make the repository much easier to browse, it utilizes a tiered category structure. Findings are organized by the findings classifications, enabling assessors to report on both basic and particular findings when developing reports.

As pointed out above, the findings repository is a hierarchical structure consisting of the following 3 tiers:

Finding Classification Tier– notes the overarching classifications: Active Directory site Weak Point, Phishing Weak Point, Mobile Innovation Weak Point, System or Service Weak Point, Web Application Weak Point, Wireless Innovation Weak Point.
General Finding Tier– lists 27 top-level findings that resemble subcategories of the overarching Finding Classification. General Findings can be utilized as a private finding on an evaluation when there isn’t an ideal Particular Finding.
Particular Finding Tier– lists 111 low-level findings that determine an unique weak point that can be made use of throughout an evaluation. The particular findings include typical findings regularly recognized throughout evaluations.

As displayed in the table listed below, there are 6 Finding Categories:

. .

. Active Directory Site( ADVERTISEMENT )is set up incorrectly. Some misconfigurations consist of unneeded service accounts and consents, insecure file encryption ciphers, weak password policies, and/or insecure user or computer system accounts. Attackers have numerous approaches of pursuing advertisement weak points, consisting of Kerberoasting, Golden Ticket attacks, Pass the Hash, or Pass the Ticket, which can result in an overall takeover of the facilities. .

Mobile Innovation Weak Point

System or Service Weak Point(* ) .

Web Application Weak Point

Wireless Innovation Weak Point

.(* ) .

The strategy is to upgrade the repository as brand-new typical vulnerabilities and weak points are recognized. Considering that the repository is open source, nevertheless, the cybersecurity neighborhood can access the repository and contribute to it.

In addition to the Penetration Screening Findings Repository, a repository of typical threats that can be recognized throughout

high-value possession (HVA) evaluations

Finding Classifications
. Classification .	. Description .
. Active Directory Site Weak Point .(* ) .	.
Phishing Weak Point . .(* ) . A phishing weak point enables an aggressor to send out a weaponized e-mail through the network border that performs on the regional host when a user carries out an action. These e-mails can consist of a range of drawing accessories, Uniform Resource Locators (URLs), scripts, and macros. Insufficient defenses enable harmful payloads to be carried out. .	.
. .(* ) . Mobile innovations are significantly utilized to provide services and information. The quantity of information saved on mobile phones makes their applications targets for attack. Compared to standard computer systems, the performance on mobile phones is harder to control, and mobile phones support more intricate user interfaces (e.g., cellular, Wi-Fi, Bluetooth, Global Positioning System ), that expose more surface areas to attack. Insecure mobile innovation has vulnerabilities that assailants can make use of to get to delicate details and resources. .	.[GPS] .
. Weak points within a system or service can lead to missing out on crucial security controls that leave the company susceptible to attacks. These weak points can consist of weak setup assistance that insecurely sets up systems and services throughout the company, inadequate or missing setup management that leads to advertisement hoc or default setups, and so on . . . .	.
. The security of sites, web applications, and web services( e.g., application programs user interfaces ) is described as web application security. Web applications can be assaulted by making use of vulnerabilities at the application layer, transportation layer, and software application supply chain. Web application weak points are generally vulnerabilities, system defects, or misconfigurations in a web-based application. Enemies typically make use of these weak points to either control source code or gain unapproved access to details or functions. Attackers might have the ability to discover vulnerabilities even in a relatively robust security environment. . .	.[APIs] .
. Wireless innovations enable mobile phones (e.g., laptop computers, cellular phones, Web of Things gadgets, and printers) to link to the business network. Wireless networks can present prospective vulnerabilities to a company through weak policies that enable insecure cordless innovation (e.g., insecure gadgets, insecure setups, weak authentication procedures, insecure file encryption) on the network. . .	The repository likewise maps each discovering to the 3 following structures: [IoT] Future Work

remains in the works. The function of this repository is to standardize the language amongst threats reported by assessors, in turn lessening effort and time for report composing on evaluations. Like the penetration-testing repository, this brand-new repository will consist of threat declarations, descriptions, and suggestions for mitigation of threats recognized on HVA evaluations.

Extra Resources

How to Get one of the most Our of Penetration Screening

by Michael Cook 7 Standards for Being a Relied On Penetration Tester by Karen Miller