Security 4 Nø0bs — The Rewards of Risk

Published on June 9, 2024

Security 4 Nø0bs —The Rewards of Risk

Understanding the value of risk while on assignment

src: https://www.riskmanagementmonitor.com/

Hola Friends,

In my previous post, I wrote about the importance on knowing the Rules of Engagement, and the importance of getting permission to proceed with Pen Testing. The ROE sets the breadth and depth of the test effort. In this post, we will cover risk.

Site Mapping

As I’m coming to understand the processes involved in a penetration test, it is critical to understand the features and functions of the site. “How does this work?” and “How can I exploit that?” are some of the principle questions asked during the initial — Reconnaissance — phase of a penetration test.

Let’s imagine you have an e-commerce platform that sells widgets. Our platform is expected to have a home page that showcases these widgets (product list page), details of our widgets (product details page), and a checkout workflow(billing / shipping / payment / order confirmation).

We then analyze these features and functions. We’ll pay attention to the page-to-page interaction, url parameters, input types, and request/response interactions. We’ll devise a punchlist of what the site does and how it might be exploited.

** Note — Threat Modeling might seem like a logical step in the reconnaissance phase of a pen test, but as often is the case, handled separately by a different team prior to the engagement. To keep within the bounds of the topic, It will be implied that threat modeling has occurred and that the information has been communicated to the right people.

Once we have list of features and functions on hand, as well as some ideas of how to test, the next step is to understand the value each feature has and impact if lost. Enter risk analysis.

Risk Analysis

Given our list of features, can structure a series of incidents. For example, in our widgets site, we see there’s a potential vulnerability with the url parameters. From experience, we know Url Parameter Tampering is a vulnerability worth exploiting. Some questions to ask are:

What is the control environment that governs the url resolvers?
What might the control activities be for the url resolvers?
How is the traffic being monitored?
What is the likelihood that parameter tampering will yield a redirection to a malicious site (or Watering hole attack)?
What is the impact of url parameter tampering on the site? Can the wrong parameter cause damage (like an outage)?

Conversations need to be had to mete out what the priorities are for the features-under-test. Thorough analysis will be conducted and scores will be derived from the impact a potential security flaw (severity) has on the business-critical feature and the likelihood of occurrence (probability). The result is a thorough list of risk and their respective priorities. This prioritization metric will help inform the areas to be tested more thoroughly, establishing a list of business-critical areas to hit first in the event that time is a constraint.

** Pro Tip!— When presenting the pen test report, it is essential that each flaw include a CVSS (Common Vulnerability Scoring System) Score. This calculated score will determine the criticality of a found vulnerability as determined by the attack vector, the attack complexity, if any special privileges are required, the level of user interaction, whether or not the vulnerability causes a change to the feature (scope), confidentiality impact, integrity impact, and availability impact.

This is by no means a comprehensive list. The NIST CVSS calculator feature a complete interface to make the proper calculation: CVSS v3 Calculator

Risk Management

At the conclusion of the engagement, when the pen test report is submitted, the Client will weigh the risks against business needs and make a determination on what to fix and what not to fix.

Risk Avoidant — If the Client is risk-averse, they might want to evaluate the impact of the found vulnerability and assess if the cost of fixing it out weighs its impact. If the cost is high but the risk of lost revenue or reputational damage is greater, it might be worth their while to invest in a fix.
Example: the Url Parameter Tampering issue reported was marked “High” — with a CVSS Score of 7.5 — as it yielded a Watering Hole Attack vulnerability that triggered an improper redirect to a “malicious” site when a specific parameter was altered. The consequence was a shell installed on the web app server that triggered remote-code-execution.
Risk Tolerant — On the flip side, if the Client is ok with the potential security vulnerability, they might opt to let it slide since that widget is not available for sale, and the issue does not occur with any other widget. The Client might decide that the likelihood of this Watering Hole attack occurring is too low and might not address this issue immediately.
Risk Mitigation — If it was discovered that the vulnerability for a Watering Hole Attack also occurred at login, registration, and throughout the checkout workflow, the Client might decide that some measures might need to be put in place to minimize the impact. It behooves the Pen Tester to provide best course of action and recommendations on how to best address the issue. One such recommendation is to have tools in place to detect anomalous patterns of behavior.
Risk Transference — the Client might decide that the impact of the issue to the business, while high, is handled by a service provider (3rd party) and therefore not their responsibility. The Pen Tester served to provide the necessary information for the Client to take action.

Conclusion

While on an engagement, the role of the Pen Tester is to provide the Client with the test report showing the which business-critical features and functions are vulnerable. It is not for the Pen Tester to decide how the Client should manage the risks of the found issues but rather report on why this vulnerability matters and potential impact to the business.

But don’t take it from me, I welcome any ideas, comments, or insight on this matter.

Until next time …

ciao for now

Understanding CVSS — https://nvd.nist.gov/vuln-metrics/cvss
Watering Hole Attack — https://www.fortinet.com/resources/cyberglossary/watering-hole-attack
Parameter Tampering — https://www.techtarget.com/searchsecurity/definition/parameter-tampering

Continue reading on website

Other news

🌸 Spring bingo - Wellness challenge - Halfway! 🌸

April 15, 2025

Hey Hivebriters! Quick check-in on our April Wellness Challenge - Spring Bingo! We're halfway through the month, and it's the perfect time to jump in if you haven't started yet (or keep going if you have)! Quick Reminders:Complete rows or columns for 5 raffle entries eachSquares with 📷 require photo submissions in the commentsSubmit completed rows/columns through the form by April 30thBonus entri