CISSP: Vulnerability and Penetration Testing for Access Control

IT components such as operating systems, application software, and even networks, have many vulnerabilities. These vulnerabilities are open to compromise or exploitation. This creates the possibility for penetration into the systems that may result in unauthorized access and a compromise of confidentiality, integrity, and availability of information assets.

Vulnerability tests are performed to identify vulnerabilities while penetration tests are conducted to check the following:

  • The possibility of compromising the systems such that the established access control mechanisms may be defeated and unauthorized access is gained
  • The systems can be shut down or overloaded with malicious data using techniques such as DoS attacks, to the point where access by legitimate users or processes may be denied

Vulnerability assessment and penetration testing processes are like IT audits. Therefore, it is preferred that they are performed by third parties.

The primary purpose of vulnerability and penetration tests is to identify, evaluate, and mitigate the risks due to vulnerability exploitation.

Vulnerability assessment

Vulnerability assessment is a process in which the IT systems such as computers and networks, and software such as operating systems and application software are scanned in order to indentify the presence of known and unknown vulnerabilities.

Vulnerabilities in IT systems such as software and networks can be considered holes or errors.

These vulnerabilities are due to improper software design, insecure coding, or both. For example, buffer overflow is a vulnerability where the boundary limits for an entity such as variables and constants are not properly defined or checked. This can be compromised by supplying data which is greater than what the entity can hold. This results in a memory spill over into other areas and thereby corrupts the instructions or code that need to be processed by the microprocessor.

When a vulnerability is exploited it results in a security violation, which will result in a certain impact. A security violation may be an unauthorized access, escalation of privileges, or denial-of-service to the IT systems.

Tools are used in the process of identifying vulnerabilities. These tools are called vulnerability scanners. A vulnerability scanning tool can be a hardware-based or software application.

Generally, vulnerabilities can be classified based on the type of security error. A type is a root cause of the vulnerability.

Vulnerabilities can be classified into the following types:

  1. Access Control Vulnerabilities

    It is an error due to the lack of enforcement pertaining to users or functions that are permitted, or denied, access to an object or a resource.


    Improper or no access control list or table

    No privilege model

    Inadequate file permissions

    Improper or weak encoding

    Security violation and impact:

    Files, objects, or processes can be accessed directly without authenticationor routing.

  2. Authentication Vulnerabilities

    It is an error due to inadequate identification mechanisms so that a user or a process is not correctly identified.


    Weak or static passwords

    Improper or weak encoding, or weak algorithms

    Security violation and impact:

    An unauthorized, or less privileged user (for example, Guest user), or a less privileged process gains higher privileges, such as administrative or root access to the system

  3. Boundary Condition Vulnerabilities

    It is an error due to inadequate checking and validating mechanisms such that the length of the data is not checked or validated against the size of the data storage or resource.


    Buffer overflow

    Overwriting the original data in the memory

    Security violation and impact:

    Memory is overwritten with some arbitrary code so that is gains access to programs or corrupts the memory. This will ultimately crash the operating system. An unstable system due to memory corruption may be exploited to get command prompt, or shell access, by injecting an arbitrary code

  4. Configuration Weakness Vulnerabilities

    It is an error due to the improper configuration of system parameters, or leaving the default configuration settings as it is, which may not be secure.


    Default security policy configuration

    File and print access in Internet connection sharing

    Security violation and impact:

    Most of the default configuration settings of many software applications are published and are available in the public domain. For example, some applications come with standard default passwords. If they are not secured, they allow an attacker to compromise the system. Configuration weaknesses are also exploited to gain higher privileges resulting in privilege escalation impacts.

  5. Exception Handling Vulnerabilities

    It is an error due to improper setup or coding where the system fails to handle, or properly respond to, exceptional or unexpected data or conditions.


    SQL Injection

    Security violation and impact:

    By injecting exceptional data, user credentials can be captured by an unauthorized entity

  6. Input Validation Vulnerabilities

    It is an error due to a lack of verification mechanisms to validate the input data or contents.


    Directory traversal

    Malformed URLs

    Security violation and impact:

    Due to poor input validation, access to system-privileged programs may be obtained.

  7. Randomization Vulnerabilities

    It is an error due to a mismatch in random data or random data for the process. Specifically, these vulnerabilities are predominantly related to encryption algorithms.


    Weak encryption key

    Insufficient random data

    Security violation and impact:

    Cryptographic key can be compromised which will impact the data and access security.

  8. Resource Vulnerabilities

    It is an error due to a lack of resources availability for correct operations or processes.


    Memory getting full

    CPU is completely utilized

    Security violation and impact:

    Due to the lack of resources the system becomes unstable or hangs. This results in a denial of services to the legitimate users.

  9. State Error

    It is an error that is a result of the lack of state maintenance due to incorrect process flows.


    Opening multiple tabs in web browsers

    Security violation and impact:

    There are specific security attacks, such as Cross-site scripting (XSS), that will result in user-authenticated sessions being hijacked.

Information security professionals need to be aware of the processes involved in identifying system vulnerabilities. It is important to devise suitable countermeasures, in a cost effective and efficient way, to reduce the risk factor associated with the identified vulnerabilities. Some such measures are applying patches supplied by the application vendors and hardening the systems.

Penetration testing

While vulnerability assessment and remediation is used to strengthen the computer system, it is also important that suitable penetration tests be performed periodically to identify the possibilities of how a system may be compromised. The primary purpose of penetration testing is to identify the exploitation possibilities of an identified vulnerability.

The following diagram illustrates the process of Vulnerability Assessment and Penetration Testing (VAPT):


VAPT can be performed in the following nine-step process:

  1. Scope

    While performing assessments and tests, the scope of the assignment needs to be clearly defined. The scope is based on the assets to be tested. The following are the three possible scopes that exist

    • Black Box Testing: Testing from an external network with no prior knowledge of the internal networks and systems
    • Gray Box Testing: Testing from an external or internal network, with knowledge of the internal networks and systems. This is usually a combination of black box testing and white box testing
    • White Box Testing: Performing the test from within the network with the knowledge of the network architecture and the systems. This is also referred to as internal testing
  2. Information Gathering

    The process of information gathering is to obtain as much information as possible about the IT environment such as networks, IP addresses, operating system version, etc. This is applicable to all the three types of scope as discussed earlier.

  3. Vulnerability Detection

    In this process, tools such as vulnerability scanners are used, and vulnerabilities are identified in the IT environment by way of scanning.

  4. Information Analysis and Planning

    This process is used to analyze the identified vulnerabilities, combined with the information gathered about the IT environment, to devise a plan for penetrating into the network and system

  5. Penetration Testing

    In this process, the target systems are attacked and penetrated using the plan devised in the earlier process.

  6. Privilege Escalation

    After successful penetration into the system, this process is used to identify and escalate access to gain higher privileges, such as root access or administrative access to the system.

  7. Result Analysis

    This process is useful for performing a root cause analysis as a result of a successful compromise to the system leading to penetration, and devise suitable recommendations in order to make the system secure by plugging the holes in the system.

  8. Reporting

    All the findings that are observed during the vulnerability assessment and penetration testing process need to be documented, along with the recommendations, in order to produce the testing report to the management for suitable actions.

  9. Cleanup

    Vulnerability assessment and penetration testing involves compromising the system, and during the process, some of the files may be altered. This process ensures that the system is brought back to the original state, before the testing, by cleaning up (restoring) the data and files used in the target machines.

Common myths about vulnerability assessment and penetration testing

The following are some of the common myths about security assessments, such as vulnerability and penetration testing, and about information security in general:

  • I use a firewall, and therefore my systems are secure
  • I don't have web-based applications and am not connected to the Internet, and therefore my systems are safe
  • There was no intrusion incident in the past few years, and therefore our systems are not penetrable
  • I have a good security engineer, and therefore my systems are safe

Worldwide statistics of intrusions and system compromises indicate that such beliefs are not true. Proper vulnerability testing is necessary and helps in information security risk management processes.


Many security groups, vendors, and other organizations that are involved in vulnerability research, identify vulnerabilities in the systems almost daily. There are many variations in terms of these reported vulnerabilities used by different vendors. Sometimes it is difficult to identify whether the reported vulnerability, by different vendors, is the same or different.

To address this anomaly, many of the security vendors, software vendors, and other similar business groups, formed a worldwide effort. The outcome of this group is an online dictionary of vulnerabilities and exposures. This online dictionary is called Common Vulnerabilities and Exposures (CVE) and is sponsored by the Department of Homeland Security (DHS) of USA.

CVE is an online dictionary of vulnerabilities, and there is an effort by NIST, USA as part of their Information Security Automation Program (ISAP) to provide criticality rating or scoring for CVE-listed vulnerabilities. This scoring is known as the Critical Vulnerability Scoring System (CVSS), and is contained in an online database known as the National Vulnerability Database (NVD).


In this article we focused on the vulnerability and penetration tests that give security a professional way to identify and evaluate system weaknesses and then mitigate the risks based on the results of such tests.

We've also focused on the types of vulnerabilities, the typical security violations and their related impact on the IT systems, and also the process of conducting vulnerability and penetration tests.

Finally, we've also discussed some of the standardization efforts such as CVE and CVSS that are initiated by the standards body such as the NIST.

If you have read this article you may be interested to view:

You've been reading an excerpt of:

CISSP in 21 Days

Explore Title