Book Image

Advanced Infrastructure Penetration Testing

Book Image

Advanced Infrastructure Penetration Testing

Overview of this book

It has always been difficult to gain hands-on experience and a comprehensive understanding of advanced penetration testing techniques and vulnerability assessment and management. This book will be your one-stop solution to compromising complex network devices and modern operating systems. This book provides you with advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN. With this book, you will explore exploitation abilities such as offensive PowerShell tools and techniques, CI servers, database exploitation, Active Directory delegation, kernel exploits, cron jobs, VLAN hopping, and Docker breakouts. Moving on, this book will not only walk you through managing vulnerabilities, but will also teach you how to ensure endpoint protection. Toward the end of this book, you will also discover post-exploitation tips, tools, and methodologies to help your organization build an intelligent security system. By the end of this book, you will have mastered the skills and methodologies needed to breach infrastructures and provide complete endpoint protection for your system.
Table of Contents (14 chapters)

Information security overview

Before diving into penetration testing, let's start by discovering some important terminology in information security. The core principles of information security are confidentiality, availability, and integrity. These principles institute what we call the CIA triad.

Confidentiality

Confidentiality asserts that all the information and data are accessible only by persons who are authorized to have access. It is important to make sure that the information won't be disclosed by unauthorized parties. The theft of Personal Identifiable Information (PII) is an example of a confidentiality attack.

Integrity

The aim of integrity is to protect information against unauthorized modification; in other words, the trustworthiness of data. This means that data has to be consistent, accurate, and trustworthy during every single information process. Some protection methods must be in place and available to detect any changes in data.

Availability

Availability seeks to ensure that the information is available by authorized users when it is needed. Denial of Service (DoS) is an example of an availability attack. High-availability clusters and backup copies are some of the mitigation systems used against availability attacks.

There are many information security definitions currently available. The previous definition is based on the ISO/IEC 27001 information security management standard.

Least privilege and need to know

Least privilege and need to know describes the fact that authorized users should be granted the minimum amount of access and authorization during their jobs. Need to know means that the user must have a legitimate reason to access information.

Defense in depth

Defense in depth, or layered security, is a security approach using multilayer security lines, and controls an example of a defense in depth approach using multiple firewalls from different vendors to improve the security of the systems.

Risk analysis

The main role of an information security professional is to evaluate risks against enterprise assets (resources that need protection) and implement security controls to defend against those risks. Analyzing risks is a very important skill because good judgment will make us select the best security controls and protection mechanisms, including the amount of financial resources needed for the deployment of these safeguards. In other words, a bad decision will cost the enterprise a huge amount of money and even worse, the loss of customers' data. We can't calculate the risk in a quantitative way without knowing the threats and vulnerabilities. A threat is a potential danger to our assets that could harm the systems. A vulnerability is a weakness that allows the threat to take negative actions. These two terms and the connection between them is described by the formula Risk = Threat*Vulnerability.

To evaluate the threat and the vulnerability, you need to assign a number in a range of one to five, for example. Using another range is possible. Sometimes, we can add another factor named impact, which describes the impact of the damage caused. In other cases, it is expressed as an amount of money to describe the cost of that impact, so the formula could be expressed as Risk = Threat*Vulnerability*Impact.

To perform a qualitative and quantitative risk analysis, we may use the risk analysis matrix according to the Australia/New Zealand 4360 Standard (AS/NZS 4360) on risk management.

The information security professional needs to classify risks based on two metrics: the frequency of occurrence and the severity of accident. The results of this classification will dictate the next action plan. Thus, if the risks are high, they must notify senior management. The next step is to create a roadmap to downgrade every risk to low, as much as possible, as shown here:

Information Assurance

Information Assurance (IA) refers to the assurance of the confidentiality, the integrity, and the availability of information and making sure that all the systems are protected during different phases of information processing. Policies, guidelines, identifying resource requirements, identifying vulnerabilities, and training are forms of information assurance.

Information security management program

The main aim of the information security management program is to make sure that the business operates in a reduced risk environment. This means coworking happens between organizational and operational parties during the whole process. The Information Security Management Framework (ISMF) is an example of a business-driven framework (policies, procedures, standards, and guidelines) that helps an information security professional establish a good level of security.