0

We have an admin web portal that we use to configure and monitor our system We recently had a security consultant scan our servers for vulnerabilities. Our admin portal is secured with username and password authentication and with two-factor authentication.

The issue is that the security consultant is performing the vulnerability assessment and penetration testing with a fully authenticated user with full permission. This makes sense but as the user is fully authenticated the scans are changing configuration so much that the system won't run anymore.

So, is it right to perform the scans this way?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Max
  • 101
  • 1
  • 1
    Do I understand it correctly that you let some tester make __arbitrary actions__ on a **production** system with __full privileges__? I don't think that this should be called "testing" any more. Testing should not disrupt production but just show potential problems. Let the pentester play around with a test system instead were no harm can be done. Reset the test system whenever it got broken while testing. – Steffen Ullrich May 09 '21 at 10:41
  • I edited your title to reflect the level of permissions you're talking about. "Full authentication" is different from "full permissions" – schroeder May 09 '21 at 12:01
  • 1
    If you give your tester admin rights, it's no longer a test to see if unauthorised access or actions can be performed since every access and action has already been granted permission by you.... – schroeder May 09 '21 at 12:05

2 Answers2

1

There are really several things going on here.

The first question is about determining what, if any, authentication is necessary for security testing. This really depends on your threat model. For example, the systems that I'm currently working with are scanned using various end-user credentials, but not with credentials associated with the level of permission that company employees have. We've decided that if there's a malicious internal user, the types of concerns would go well beyond what a vulnerability scanner can pick up. The focus is on making sure that end-users, with malicious intent or not, have limited opportunities to harm or bypass the normal operation of the system. This approach may or may not be suitable for all organizations, so it's up to each organization to determine the risks and benefits of different configurations for scanning and penetration testing.

The statement that the security consultant, whether using automated tools or by a manual process of interacting with the system, is changing the configuration such that the system doesn't function is concerning. First, the security consultant will probably need documentation about the system associated with whatever user role they are authenticating as. This has been a common request in all penetration tests that I've been a part of. This should help them understand what different things do in order to not break the system. Second, they should be testing against an environment that mimics production but is not production. In my experience, security testers do things that may break the system, including attempting to send malicious payloads. Security testing should never interfere with the normal operation of the system.

My suggestion would be that you spend some time performing threat modeling and working with your security consultant to understand the system so they can perform the appropriate testing based on the risks that you face so that any findings would be relevant.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Thomas Owens
  • 1,022
  • 8
  • 9
0

I am assuming that you have only 1 level or privilege eg: Admin, and none else can login and mess up with the system right ? So if the tester is not logged in as Admin he cannot simulate an real attack, because we all know this kind of security (username,pass & 2FA) can be compromised and if the attacker gets Admin privilege nobody knows how far he can get into the system. Basically what the tester is trying to do is even if someone gets those Admin privileges that he cannot get too far in the system for example upload an shell and take control over the whole server and get an root privilege for example and delete everything. If the tester does not have the Admin privilege I am positive he can only check for sensitive folders/files some common attack XSS,LFI,RFI,SQLi, outdated services and much more.

mrSotirow
  • 152
  • 1
  • 3