An overview of vulnerability assessment and penetration testing techniques

Original Paper

Abstract

All Internet facing systems and applications carry security risks. Security professionals across the globe generally address these security risks by Vulnerability Assessment and Penetration Testing (VAPT). The VAPT is an offensive way of defending the cyber assets of an organization. It consists of two major parts, namely Vulnerability Assessment (VA) and Penetration Testing (PT). Vulnerability assessment, includes the use of various automated tools and manual testing techniques to determine the security posture of the target system. In this step all the breach points and loopholes are found. These breach points/loopholes if found by an attacker can lead to heavy data loss and fraudulent intrusion activities. In Penetration testing the tester simulates the activities of a malicious attacker who tries to exploit the vulnerabilities of the target system. In this step the identified set of vulnerabilities in VA is used as input vector. This process of VAPT helps in assessing the effectiveness of the security measures that are present on the target system. In this paper we have described the entire process of VAPT, along with all the methodologies, models and standards. A shortlisted set of efficient and popular open source/free tools which are useful in conducting VAPT and the required list of precautions is given. A case study of a VAPT test conducted on a bank system using the shortlisted tools is also discussed.

References

  1. 1.
    Tiller, J.S.: CISO’s Guide to Penetration Testing. CRC Press Publication, Boca RatonGoogle Scholar
  2. 2.
    The Canadian Institute of Chartered Accountants Information Technology Advisory Committee, Using an Ethical Hacking Technique to assess Information security Risk, Toronto. http://www.cica.ca/research-and-guidance/documents/it-advisory-committee/item12038.pdf. Accessed 03 Oct 2013
  3. 3.
    Xiong, P., Peyton, L.: A model driven penetration test framework for web applications. In: IEEE 8th Annual International Conference on Privacy, Security and Trust (2010)Google Scholar
  4. 4.
    Liu, B., Shi, L., Cai, Z.: Software vulnerability discovery techniques: a survey. In: IEEE 4th International Conference on Multimedia Information Networking and Security (2012)Google Scholar
  5. 5.
    Duan, B., Zhang, Y., Gu, D.: An easy to deploy penetration testing platform. In: IEEE 9th International Conference for young Computer Scientists (2008)Google Scholar
  6. 6.
    Dr. Geer, D., Harthorne, J.: Penetration testing: a duet. In: IEEE Proceedings of 18th Annual Computer Security Application Conference, ACSAC’02 (2002)Google Scholar
  7. 7.
    Sparks, S., Embleton, S., Cunningham, R., Zou, C.: Automated vulnerability analysis: leveraging control flow for evolutionary input crafting. In: IEEE 23rd Annual Computer Security Applications Conference (2007)Google Scholar
  8. 8.
    Open Web Application Security Project. OWASP Top 10 Project. http://www.owasp.org/index.php/category:OWASP_Top_Ten_Project. Accessed 03 Oct 2013
  9. 9.
    Turpe, S., Eichler, J.: Testing production systems safely: common precautions in penetration testing. In: IEEE Academy Industrial Conference (2009)Google Scholar
  10. 10.
    Halfold, W., Choudhary, S., Orso, A.: Penetration testing with improved input vector identification. In: IEEE International Conference on Software Testing Verification and Validation (2009)Google Scholar
  11. 11.
    Austin, A., Williams, L.: One technique is not enough: a comparison of vulnerability discovery techniques. In: IEEE International Symposium on Empirical Software Engineering and Measurement (2011)Google Scholar
  12. 12.
    The MITRE Corporation, Common Weakness Enumeration. http://www.cwe.mitre.org/. Accessed 03 Oct 2013
  13. 13.
    SANS Institute. SANS Top 25 Software Errors. http://www.sans.org/top25-software-errors/. Accessed 03 Oct 2013
  14. 14.
    Institute for Security and Open Methodologies. Open Source Security Testing Methodology Manual. http://www.isecom.org/mirror/OSSTMM.3.pdf. Accessed 03 Oct 2013
  15. 15.
    Payment Card Industry Security Standards. Payment Card Industry Data Security Standard. http://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf. Accessed 03 Oct 2013
  16. 16.
    Open Web Application Security Project. OWASP Testing Guide. http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf. Accessed 03 Oct 2013
  17. 17.
    International Organization for Standardization. IEC/ISO 27001:2013. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534. Accessed 03 Oct 2013
  18. 18.
    LanFang, W., HaiZhou, K.: A research of behavior based penetration testing model of the network. In: IEEE International Conference on Industrial Control and Electronics Engineering (2012)Google Scholar
  19. 19.
    iVolution Security Technologies. Benefits of Penetration Testing. http://www.ivolutionsecurity.com/pen_testing/benefits.php. Accessed 03 Oct 2013
  20. 20.
    Antunes, N., Vieira, M.: Benchmarking vulnerability detection tools for web services. In: IEEE International Conference on Web Services (2010)Google Scholar
  21. 21.
    White Hat Statistics Report’ 2013. https://www.whitehatsec.com. Accessed 03 Oct 2013
  22. 22.
    Shah, S.: Vulnerability assessment and penetration testing (VAPT) techniques for cyber defence. IET-NCACNS’ SGGS, Nanded (2013)Google Scholar
  23. 23.
    Shah, S., Mehtre, B.M.: A modern approach to cyber security analysis using vulnerability assessment and penetration testing. In: NCRTCST’ 2013, Hyderabad, IndiaGoogle Scholar
  24. 24.
    Shah, S., Mehtre, B.M.: School of Computer and Information Sciences, University of Hyderabad, Hyderabad, India. In: 2013 IEEE International Conference on Computational Intelligence and Computing Research (ICCIC)Google Scholar
  25. 25.
    McDermott, J.P.: Attack net penetration testing. In: Proceedings of the 2000 Workshop on New Security Paradigms. ACM Press, New York (2001)Google Scholar

Copyright information

© Springer-Verlag France 2014

Authors and Affiliations

  1. 1.School of Computer and Information SciencesUniversity of HyderabadHyderabadIndia
  2. 2.Center for Information Assurance and ManagementInstitute for Development and Research in Banking Technology Established by Reserve Bank of IndiaHyderabadIndia

Personalised recommendations