Study Case A – Penetration Testing By Navy Seals Team Six
The Navy Seals Team 6 were assigned a tedious task by The Pentagon . Its mission is to move stealthily into the newly invented working space of NASA, locate where the servers are kept, retrieve classified information from the servers and finally get out of the building without being caught or noticed .
Study Case B – Vulnerability Assessment By The Secret Service
The Central Intelligence Agency assigned one of its secret agents specialized in automobile testing to examine whether the recently purchased Cadillac One for the current president is without ‘security holes’.
Brief Analysis of Both Study Cases
Study Case A
From the look of things, the main mission of the Navy Seals Team 6 is to retrieve classified information from the servers of NASA laboratory without being noticed. Assumingly, the Navy Seals Team won’t bother about other attack vectors. Just a single attack threat or vulnerability could grant them access into NASA’s building. Another attack vector could get them directly into the laboratory .
Technically, this mode of operation could be easily compared to ethical hacking or penetration testing. Like the leader of Navy Seals Team 6, a “ pen tester” in charge of a team assigned to retrieve classified data won’t waste time to search for other open ports or take on human elements. Their goal is to assess the web page silently with aid of Httrack, or depend on the Harvester tool to collect information about the target .
If they were hundred attack vectors widely available, there is no need to take on all hundred attack vectors. Just a single vector could help the team get access to the datum in need. Therefore, penetration testing does not expose all attack vectors.
Study Case B
Study Case B focuses on vulnerability testing. Let’s presume the Secret Service has assigned one of its automobile testers to examine whether ‘The Beast’ a.k.a ‘Cadillac One’ manufactured to cater for the travels of the current President is without leakage or “attack threats” .
Cadillac One, designed from the ground up by the Secret Service, is a moving impenetrable by bombs and bullets. The Beast is made up of steel, aluminum, titanium and ceramic. A steel plate runs underneath the car to protect bombs or grenades. There are other security features that boost the capabilities of ‘Cadillac One’.
Although the media applaud Cadillac One as the most protected limousine ever, automobile testers should re-think. Why do we have zero-day attacks? Although I have not heard of any zero-day attacks with regards to car hacking, there should be one in the near future soon.
Though Heartbleed is no more a recent bug, it caused much havoc. Let’s focus on zero-day attacks, attack vectors and vulnerability testing. This article is not related to car hacking.
Like Cadillac One, webpages and databases are assessed or examined to ensure all ports are well protected , there are no black holes to allow intake of malicious SQL injections, cross site scripting, command execution, directory traversal and so on.
|Heartbleed is a security bug disclosed in April 2014 in the Open SSL cryptography library, which is widely used in the implementation of the Transport Layer Security (TLS) protocol.|
The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug, most patches implemented failed to stop Heartbleed at once.
|Open SSL is a software library used in application that need secure communications against eavesdropping or need to ascertain in the identity of the party at the other end.
Technically, OpenSSL is widely implemented at the Transport Layer Security (TLS) . The TLS protocol ensures secure communication between two parties. The infamous Heartbleed attack allowed anyone on the internet to read the memory of the systems protected by the vulnerable version of the OpenSSL software .
Heartbleed compromised the secret keys used to identify the service providers , and to encrypt traffic, the names and passwords of users and content.
At the TLS layer, vulnerabilities scanners or scripts like, Nmap Security Scanner, GNUTLS, SSLscan are specifically written and programmed to ensure vulnerabilities associated with TLS protocol is checked and corrected.
Nmap Security Scanner – : Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
GNUTLS – : GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. It is aimed to be portable and efficient with focus on security and interoperability.
SSLscan – : SSLScan queries SSL services, such as HTTPS and SMTP that supports STARTTLS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes preferred ciphers of the SSL service, the certificate and is in Text and XML formats.
A bug, unknown to software vendors or mistakenly created by programmers, transformed into a zero-day attack affected most websites despite all listed web scanners .
The following were affected by the heartbleed bug :
- Bank Of America, etc.
Apart from the above listed, many others were viciously affected by the heartbleed bug. Heartbleed was a bug, ignored by software vendors. Thriving firms like facebook, Gmail, AOL and the rest had IT auditors to check up on its websites, servers and other valuable objects prior to the invasion of heartbleed . Yet Heartbleed affected them drastically.
However, heartbleed is not more savage. But the bottom line : Can Vulnerability Testing Expose Attack Vectors or we should rather prepare for in-coming zero day attacks stealthily or ensure software testing and security is done properly ?
Vulnerability Testing Versus Attack Vectors
Effective vulnerability testing can prevent invasion of viruses and trojans . It ensures whether ports are well positioned and all closed ports are not mistakenly opened. However, Vulnerability testing is yet to find a cure to all attack vectors.
Initially, heartbleed was just a bug ignored by software vendors. Later, it turned into an attack vector which favored hackers. A bug left unattended or ignored by software vendors or programmers , exploited by hackers before the vendor becomes aware and fix it , it is known as a zero-day exploit.
Therefore, is it necessary to assess our websites or web servers if we have exploit writers being paid huge amount to literally walk into web servers for data via the help of attack vectors ?
Despite zero –day exploits and attack vectors, vulnerability testing is technically important. Vulnerability testing can help detect available lapses. Vulnerability testing can help website owners to know whether webpages are at least secured to go live. Finally, vulnerability testing can minimize attack vectors.
Vulnerability testing can prevent many attack vectors if implemented effectively and accordingly. However, some zero-day exploit transformed into attack vectors can’t be detected by ordinary vulnerability testing . We should rather combine software testing, software security with vulnerability testing. Software security and testing is the main challenges affecting software industry.
If programmers and software vendors should place emphasis on developing products or writing programs with no bugs , vulnerability testing won’t struggle with zero-day exploits, and attack vectors. Attack vectors are born out of zero-day attacks.