Find and remediate holes in your security perimeter
In the first step, UL collects information about the organization’s assets, network, servers, ports, applications, and services, to determine the scope of the testing. This is achieved by using foot printing, scanning and enumeration techniques. Concrete examples of the information collected include a list of IT assets including services and applications, the system architecture, domain names, IP-addresses and network blocks used, IDS/IPS systems in place, and information about roles, authorizations and authentication mechanisms used.
This information will provide UL with required IT infrastructure information, including an overview of servers, systems and applications. These are the places where valuable information is stored or services are run, but also the places where vulnerabilities or weaknesses may occur. The output of this process is documented in the form of an IT infrastructure blueprint. The blueprint contains detailed information of the actual assets in scope as well as the prioritization of the assets for the second step: scanning.
The information gathered from the previous step is used to execute the scan for possible weaknesses and vulnerabilities in the identified servers, systems and applications. Two main activities are part of this step: finding known vulnerabilities, commonly known as CVEs, and exploring applications for common software weaknesses. The latter will be done based on the SANS Top-25 and OWASP Top-10 list of most serious weaknesses (CWEs).
The testing process will be executed in two ways; automated and manual. For automated scanning, UL uses tools such as Nessus and Nexpose. UL will work together with the network owners to schedule timeslots to perform the scan.
Scanning results in a list of vulnerabilities and weaknesses that are probably present in your servers, systems and applications. However, their presence has to be verified before we can include them in our report in step 4. Verification can be done in two ways. The default option is to discuss with your IT staff, who will be able to verify, for example, the presence of outdated software or a wrong firewall configuration. The other option is to carry out a limited (‘Proof of Concept’) penetration test to confirm that the suspected vulnerabilities can indeed be exploited. Carrying out a PoC is always optional, and based on a request by the customer.
Once the presence of vulnerabilities and weaknesses is confirmed, responsible IT staff can already start to define possible remedial actions, such as applying available patches or hardening of server configurations. This will be necessary input for you to take decisions on remediation in step 5.
As a next step, UL will produce a report on the performed discovery, scanning and verification processes. The report contains as a minimum the blueprint of your IT infrastructure, a summary of all confirmed vulnerabilities and weaknesses, and detailed information about each of these, such as the way they were detected, how they may be exploited, and an estimate of impact and likelihood of exploitation. We will mention the associated risk level and possible mitigation measures.
After the remediation step, UL recommends to perform a re-scan to validate that remedial actions have been implemented successfully. This scan is performed using the same vulnerability scanning tools and identical configuration settings as the initial scan. This step is very important to prevent inaccurate results due to configuration errors. Typically, a rescan is scheduled after the deadline for implementing remedial actions. For these scans, the same type of report generated during the initial scan is created. If necessary, additional remediation must be carried out.