The main difference between an Ethical Hacking exercise and a Vulnerability Assessment, is that while the first relates to the simulation of an attack from the outside, the second relates to an attack that may be perpetrated on the internal side of the organizational network e.g. a disgruntled employee, or an external attacker who has gained access into the network. Threats from the internal network environment is one of the greatest risks that organizations face nowadays as users are usually entitled to access sensitive information with lower security controls.
During an internal penetration testing exercise, the ITHACA Labs® team attempts to gain access to internal networks, systems and applications using techniques such as a brute force attack, and/or exploiting systems/application vulnerabilities. The results from an internal penetration testing exercise will help the organization realize threats coming from within the company’s internal network environment, and enable you to better understand your internal security posture.
During this exercise, our ITHACA Labs® team utilizes a plethora of manual/automatic techniques aiming to identify, map and assess the network, systems and security controls in place and profile the potential for unauthorized access and misuse of the systems and information by impersonating internal unhappy employees and/or hostile intruders either with or without having prior knowledge.
Our researchers will act as regular employees of the organization and assess all access controls in an attempt to acquire unauthorized access and escalate this access privileges to critical data and systems.
This exercise will help them assess the risks that may be brought into the organization and provide a summary report with the findings as well as focused recommendations to address the weaknesses and the risks that the organization is facing.
All tests are designed in cooperation with the organization to ensure specific security/system controls and policies are tested.
Our Vulnerability Assessment methodology and approach is a four-step process as described below.
The Re-Testing step is optional for organizations requiring the added assurance that remedial action taken after vulnerabilities and weaknesses have been identified, has been successful in mitigating the relevant risks.
1. Active Information Gathering
The first step of our methodology is to gather as much information as possible regarding the in-scope systems and network components, by probing the organization’s internal network and systems infrastructure. Active information gathering consists of a series of active probes of the targeted network and systems, which the organization may be able to detect. During this step, critical information regarding the in-scope systems and network components are gathered. This information may include the type and version of operating system and software applications running on the network devices and systems etc.
2. Vulnerability Mapping
All information obtained during the previous steps is collated, classified and mapped. At this point it is possible to draw a “map” of the security behavior of the in-scope systems and networks components, which allows us to determine our course of action. This course of action will include our strategy regarding the vulnerability probes and tools, which will be used during the subsequent exploitation phase. Our exploitation strategy will be relating specifically to the in-scope systems and network components and will be aimed at identifying possible weaknesses and vulnerabilities present.
Our exploitation of the vulnerabilities identified and mapped during the previous phases of the ethical hacking process will not be limited to perpetrating isolated attacks aimed at exploiting a single vulnerability. Rather, our “attacks” will be formulated so that they take advantage of a number, or combination of identified weaknesses. By doing so, we can simulate what the maximum effect of the identified vulnerabilities would be on the targeted systems and networks should an orchestrated hacker attack actually takes place.
This stage completes the assessment by verifying which of the potential vulnerabilities and attack paths can actually lead to a security compromise or exposure. For any successful break-in attempts, an estimation of potential damage is made which enables the organization to more accurately assess the threats that are present in their network and systems infrastructure and the extent of business risks based on those threats.
It is important to note that during the different stages of this exercise all meaningful network traffic is monitored, using network sniffers, to detect any information that may be security-sensitive.
The Vulnerability Assessment exercise is concluded with a meeting during which our observations, findings and assessments are presented. During this meeting we will provide you with helpful information and guidelines as to how all-successful break-ins could have been prevented or controlled and answer any questions you may have. In addition, we will furnish you with a detailed report, summarizing our observations and findings along with an overall analysis and correlation of the identified risks and concerns, providing you with a comprehensive view of the level of risk to which the organization is exposed. Constructive recommendations for the mitigation of those risks will also be included.
The intention is to provide the organization with focused in-depth technical explanation of each vulnerability as well as instructions for remediation and recommendations, which address individual weaknesses. We will also provide you with a more holistic view of the risks inherent in your operations, all based on our work, our findings and conclusions.
Before, or even after the submission of the final report, the organization, based on the initial findings report, may take remediation steps and allow the ITHACA Labs® team to re-test after the corrective actions have been completed.
Although optional, this is a very important step as it provides management with the assurance that any identified weaknesses, have been effectively addressed bringing the organization’s risk baseline to the required level. By doing so, management’s due diligence is clearly demonstrated while audit and compliance requirements are duly met.