🔒Cybersecurity and Cryptography Unit 14 – Security Auditing & Penetration Testing

Key Concepts & Terminology

• Security audit systematically evaluates an organization's information system's security by measuring how well it conforms to an established set of criteria
• Penetration testing (pen test) authorized simulated cyberattack on a computer system, performed to evaluate the security of the system
• Vulnerability weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source
• Exploit code or technique that takes advantage of a vulnerability to cause unintended or unanticipated behavior in computer software or hardware
• Threat actor individual or group that attempts to exploit vulnerabilities in systems for malicious purposes
• Attack surface total sum of the vulnerabilities in a given computing device or system that are accessible to a threat actor
• Security posture overall strength of an organization's cybersecurity readiness
• Remediation process of fixing vulnerabilities or implementing controls to reduce cyber risk

Security Audit Basics

• Purpose of a security audit identifies vulnerabilities, assesses risk, and provides recommendations for improvement
• Scope of audit defines systems, networks, applications, and processes to be examined
• Auditing standards provide guidelines for conducting audits (NIST SP 800-115, ISO 27001, COBIT)
• Auditing process typically includes planning, fieldwork, analysis, and reporting phases
• Auditor should be independent, objective, and have necessary skills and experience
• Evidence collection involves gathering information through interviews, documentation review, and technical testing
• Sampling techniques used to select representative subset of systems or data for testing
• Audit report communicates findings, risks, and recommendations to stakeholders

Penetration Testing Fundamentals

• Goal of penetration testing identifies vulnerabilities that could be exploited by threat actors
• Types of pen tests include black box (no prior knowledge), white box (full knowledge), and gray box (partial knowledge)
• Pen testing methodology typically follows reconnaissance, scanning, gaining access, maintaining access, and covering tracks phases
• Reconnaissance involves gathering information about target systems and networks
• Scanning identifies open ports, services, and potential vulnerabilities
• Gaining access attempts to exploit identified vulnerabilities to obtain unauthorized access
• Maintaining access involves establishing persistent presence and escalating privileges
• Covering tracks removes evidence of testing activities to avoid detection
• Pen test report details findings, exploits, and recommendations for remediation

Tools & Techniques

• Port scanners (Nmap) identify open ports and services running on target systems
• Vulnerability scanners (Nessus, OpenVAS) automate discovery of known vulnerabilities
• Exploit frameworks (Metasploit) provide pre-built exploits and payloads for common vulnerabilities
• Social engineering tactics (phishing, pretexting) manipulate users into revealing sensitive information or granting access
• Password cracking tools (John the Ripper, Hashcat) attempt to guess or brute-force passwords
• Network sniffers (Wireshark) capture and analyze network traffic for sensitive data or vulnerabilities
• Web application scanners (Burp Suite, OWASP ZAP) test web apps for common vulnerabilities (SQL injection, XSS)
• Wireless hacking tools (Aircrack-ng) exploit weaknesses in wireless networks to gain unauthorized access

Common Vulnerabilities

• Misconfigurations in systems, networks, or applications that leave them open to attack
• Unpatched software with known vulnerabilities that can be exploited by threat actors
• Weak or default passwords that can be easily guessed or brute-forced
• Missing or inadequate access controls that allow unauthorized access to sensitive data or functions
• Insufficient input validation that allows injection of malicious code or commands
• Unencrypted communication channels that expose sensitive data to interception
• Insecure data storage that leaves sensitive information vulnerable to theft or tampering
• Lack of monitoring and logging that prevents detection of malicious activity

Reporting & Documentation

• Executive summary provides high-level overview of audit or pen test findings and recommendations
• Detailed findings describe each vulnerability or issue identified, including risk level and potential impact
• Evidence and screenshots demonstrate proof of concept for exploits and support findings
• Recommendations provide specific actions to remediate vulnerabilities and improve security posture
• Prioritization helps organizations address most critical risks first based on likelihood and impact
• Remediation tracking documents status of fixes and ensures accountability for implementation
• Lessons learned identify areas for improvement in security processes and practices
• Follow-up testing validates effectiveness of remediation efforts and identifies any new vulnerabilities

Legal & Ethical Considerations

• Obtain written permission and establish rules of engagement before conducting security audit or pen test
• Comply with all applicable laws and regulations (Computer Fraud and Abuse Act, GDPR)
• Respect privacy and confidentiality of client data and systems
• Use least privilege principle and avoid unnecessary disruption of systems or networks
• Document all activities and findings thoroughly and accurately
• Disclose any conflicts of interest that may affect objectivity or integrity of assessment
• Provide results only to authorized parties and protect sensitive information from unauthorized disclosure
• Advise clients on legal and ethical implications of security issues and remediation options

Real-World Applications

• Compliance audits ensure organizations meet industry or regulatory standards (PCI DSS, HIPAA, SOC 2)
• Vulnerability assessments proactively identify and prioritize risks before they can be exploited
• Red team exercises simulate real-world attacks to test an organization's detection and response capabilities
• Incident response planning prepares organizations to quickly and effectively respond to security breaches
• Third-party risk management assesses security of vendors, partners, and service providers
• Mergers and acquisitions due diligence evaluates cybersecurity risks of target companies before transactions
• Cloud security audits verify configuration and controls of cloud-based services and infrastructure
• IoT and embedded device testing identifies vulnerabilities in smart devices and operational technology systems