Baseline configuration testing

baseline and configuration reviews

Many organizations face challenges with configuring Microsoft 365, Azure, and Windows systems securely and consistently.  In particular, it can be difficult to understand which hardening guides and baselines to use, and how best to use them. 

At dotSec, we specialize in identifying and addressing these challenges with precision and expertise, helping to reduce the risks associated with inconsistent vulnerability and configuration management, and resulting compliance issues. 

Firstly, we conduct a comprehensive assessment of your Microsoft 365, Azure, and Windows systems using industry-standard frameworks like the CIS benchmarks. Our team of experts will meticulously review your configurations to identify potential security gaps and ensure your systems align with best practices. We utilize various tools and methodologies, such as Prowler, the Microsoft Azure administration portal, Azure CLI and powershell to provide a thorough analysis. 

Once the assessment is complete, we provide clear, actionable remediation strategies tailored to your organization’s needs. Our approach ensures that configurations are tested in a development environment before being rolled out, minimizing disruptions to your operations. 

We can also assist in testing secure configurations, whether it’s through manual adjustments or leveraging tools like Intune for Windows systems in a replica/development environment. This testing work would be done in accordance with the  client’s change-control procedures, in order to reduce any risks associated with  recommended hardening changes. 

 

What is a pen test?

A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).  Pen testing includes both automated and manual tools and techniques that allow the assessor to simulate an attack where the attacker targets asset(s) that may (as defined within the scope of the assessment) include:

  • Applications, including web applications and services.
  • Infrastructure, including fixed and wireless networks, networking components, servers and operating systems, and telephony equipment.
  • Client and mobile devices including laptops, browsers, mobile phones and desktop systems.
  • Cloud services such as infrastructure running within Azure or AWS. 

Penetration testing almost always includes a vulnerability assessment, where the assessor will use scanning tools in an attempt to identify known vulnerabilities in the target asset(s). 

Pen testing builds on vulnerability assessment however, since the assessor will use automated and manual techniques to first confirm that the reported vulnerabilities are real (not false positives) before then seeking to exploit those vulnerabilities in order to engineer a successful attack.

How does a TTX benefit your business?

Penetration testing can benefit your business in a number of ways. Most obviously, pen testing will provide you with:
  • A description of any vulnerabilities that are discovered in any of the assets that are included within the scope of the assessment.  Where appropriate, we will refer to vulnerability descriptions such as (where relevant) vulnerabilities described in the OWASP Top Ten guidelines and we will assign a severity rating to vulnerabilities using the Common Vulnerability Scoring System (CVSS v3.1).
  • A risk assessment that will present the level of risk that reflects the likelihood and consequence of a compromise arising from the successful exploitation of the discovered vulnerabilities.  A qualitative risk assessment will be completed, and the assessment will be consistent with relevant AS/NZ, and ISO/IEC Risk Assessment and Management standards and security guidelines.
  • Most importantly, a prioritised list of recommendations, describing how each of the identified risks may be reduced to an acceptable level.  Any existing risk-mitigation mechanisms or procedures will be taken into account at this time.

Additionally, a pen test is almost always included as part of a maturity assessment, and most information security frameworks and standards require some kind of testing program:

  • The PCI DSS requires that testing be conducted on a regular basis and following any significant system changes.
  • CPS 243 requires a systematic testing program.
  • ISO 27001 notes that Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.

But whether compliance requirements are relevant or not, a penetration test may be undertaken as a stand-alone piece of work, so that you (or the target/resource owner) understand the level of risk, so that can therefore prioritise your risk management programs of work. 

How does dotSec run a pen test?

The  aim of a penetration test is to allow DotSec to detect and exploit vulnerabilities in the target asset(s). There are a number of possible approaches which can be used:

1. Uninformed or black-box testing

DotSec’s assessor will conduct a “black-box” test, taking the role of an uninformed attacker who does not have an account or privileges on the target asset(s). This allows an assessor to understand if/how an uninformed and unprivileged attacker could discover and exploit vulnerabilities in the target asset(s)

2. Grey-box testing

DotSec’s assessor will conduct a “grey-box” test, where “grey” indicates that some, limited information has been provided to the assessor. For example:

  1. The assessor can take on the role of an attacker who can (or has) registered for an on-line account and can access those parts of the target site which require authentication, but without detailed knowledge of design of the target site(s). This allows the assessor to understand how an attacker could use and/or escalate their limited privileges and capabilities to damage or misuse the target asset(s).

  2. The assessor has been provided with non-trivial design information, but without authentication credentials and/or privileges.  This allows the assessor to take on the role of an attacker who has some incomplete level of insider knowledge and who can therefore proceed to attack the target of assessment without first having to conduct a detailed reconnaissance. 
 

3. Informed or white-box testing

During a “white-box” test, the customer will provide DotSec’s assessor with insider knowledge of the target(s), allowing the assessor to provide the best coverage of the target asset(s) within the allowed assessment time, and thereby most effectively identifying and exploiting vulnerabilities that might not otherwise be discovered in a black or grey-box assessment.  For example:

  1. The assessor may be provided with complete source code for a web-application front-end and/or API endpoint(s). This would give the assessor complete knowledge of parameter names and values that the target will accept. Note that in this scenario, DotSec and the client would need to agree as to whether or not a review of the actual source code should be completed as part of the assessment.

  2. The assessor may be granted admin privileges to a web application that would allow the assessor to create additional, arbitrary users of any privilege level. This will in turn allow the assessor to identify functionality which may be unavailable to users of lower privilege. The aim of this arrangement is to give the assessors complete knowledge of how the application appears to all roles, thereby allowing the assessor to uncover vulnerabilities which may otherwise remain hidden. Note that in this testing scenario, DotSec and the client would need to agree as to whether or not the assessment should include a review of the super-admin functionality itself.

4. Internal, external or both

In the world of cloud and mesh VPNs, there is sometimes less distinction between what is “inside” and what is “out” but in general, most businesses still have head-office and branch networks so the location of the assessor in relation to the target of assessment can be important.    For example, a pen test can be conducted as:

  1. As an external test, where the assessor takes on the role of an attacker that is situated on an external, publicly accessible part of the Internet.  In this scenario, the assessor sees only Internet-accessible interfaces and components of the target asset(s) such as web-service APIs, open firewall ports and remote-access end points.

  2. As an internal test, where the assessor takes on the role of an attacker who has breached the defences of the target-asset owner, or who has compromised (for example, through a social-engineering or “phishing” attack) an account on the asset-owner’s network or system. In this scenario, the assessor is able to better determine how an attacker could escalate and extend their capabilities, given a toe-hold into the target asset.

  3. Both external and internal tests.  In this “best of both worlds” approach, the assessor can provide a holistic understanding of the vulnerabilities that are detectable and exploitable from both an internal and Internet-facing (external) perspective. 

What next?

By undertaking a pen test, your organisation will gain an understanding of the risks that are associated with any vulnerabilities that are discovered in any of the assets that are included within the scope of the assessment, taking into account the likelihood and consequence of a compromise arising from the successful exploitation of the discovered vulnerabilities.  

Most importantly however, we will deliver a prioritised list of recommendations, describing how each of the identified risks may be reduced to an acceptable level, taking any existing risk-mitigation mechanisms or procedures into account at this time. We believe this proactive approach is key to understanding and managing the risk of cyber incidents and ensuring the ongoing security and integrity of your systems and services. 

Give us a call and let’s talk about the base… line!

Let us know how we can help

dotSec is a professional cyber security organisation that was founded in 2000.  Our idea was simple:

“Help organisations to treat security as a strategic asset, and they will operate with fewer risks and with a more certain budget, attracting more customers and becoming more successful than their more reactive and less strategic competitors.”

Now, with over 25 years of national and international experience behind us, that one idea has allowed us to assist clients across most industry sectors, and across all tiers of government.