A Repository of Common Penetration-Testing Weaknesses

A Repository of Common Penetration-Testing Weaknesses

Penetration testing is an important step in identifying weaknesses in an organization’s IT infrastructure. It is a crucial assessment activity for organizations to use when defending their environments against cyberattacks. The SEI conducts cybersecurity assessments for organizations and designs and develops applications that facilitate the collection and automation of the reporting of findings identified on assessments.

This post introduces a penetration-testing findings repository that is now publicly available on GitHub. Findings refer to the vulnerabilities and weaknesses identified during a penetration-testing assessment. The repository standardizes the language of findings and minimizes the time and effort for report writing. Moreover, the standardized finding-name format assists in analyzing aggregated data across multiple penetration-testing assessments.

This repository was created in response to the naming inconsistency of findings on penetration-testing assessments and to create a large collection of standardized weaknesses for assessors to use. Assessors would name findings differently on assessments. Some assessors would name a finding after a cyberattack while others would name it after a process. The penetration-testing findings repository focuses on naming a finding after the vulnerability and weaknesses that were identified on an assessment rather than cyberattacks or processes. To help assessors locate findings more quickly during an assessment, the repository uses an affinity-grouping technique to categorize weaknesses, which increases usability by sorting the findings into a hierarchical three-tier structure. Moreover, the findings repository includes resources to help assessed organizations remediate the findings identified on a penetration-testing assessment.

A key step in securing organizational systems is identifying and understanding the specific vulnerabilities and weaknesses that exist in an organization’s network. Once identified, the vulnerabilities and weaknesses must be put into context and certain questions must be answered, as outlined in the blog post How to Get the Most Out of Penetration Testing:

• Which vulnerabilities and weaknesses should you spend finite resources addressing?
• Which vulnerabilities and weaknesses are easily exploitable, and which aren’t?
• Which vulnerabilities and weaknesses put critical assets at risk?
• Which vulnerabilities and weaknesses must be addressed first?

Without this context, an organization might dedicate resources to addressing the wrong vulnerabilities and weaknesses, leaving itself exposed elsewhere. The repository provides a default finding-severity level to help an assessed organization prioritize which findings to remediate first. An assessor can adjust the default severity level of the findings depending on the other security controls in place in an organization’s environment.

Repository Overview

The penetration-testing findings repository is a collection of Active Directory, phishing, mobile-technology, system, service, web-application, and wireless-technology weaknesses that may be discovered during a penetration test. The repository contains default names, descriptions, recommendations for remediation, references, mappings to various frameworks, and severity levels for each finding. This repository and its structure serve four primary purposes:

• standardization—The repository standardizes the reporting process by providing defined findings for an assessor to select from during an assessment.
• streamlined reporting—Providing pre-populated attributes (finding name, description, remediation, resources, and severity level) saves significant time during the reporting process, allowing assessors to focus on operations.
• comprehensiveness—The repository’s layered structure gives assessors flexibility in how they present their findings as the vulnerability landscape evolves. When possible, assessors select a specific finding. If no specific finding accurately describes what was discovered, assessors can select a general finding and tailor it accordingly.
• ease of navigation—To make the repository easier to navigate, it uses a tiered classification structure. Findings are grouped by the findings categories, allowing assessors to report on both general and specific findings when creating reports.

As mentioned above, the findings repository is a hierarchical structure containing the following three tiers:

• Finding Category Tier—lists the overarching categories: Active Directory Weakness, Phishing Weakness, Mobile Technology Weakness, System or Service Weakness, Web Application Weakness, Wireless Technology Weakness.
• General Finding Tier—lists 27 high-level findings that are like subcategories of the overarching Finding Category. General Findings can be used as an individual finding on an assessment when there isn’t a suitable Specific Finding.
• Specific Finding Tier—lists 111 low-level findings that pinpoint a distinct weakness that can be exploited during an assessment. The specific findings consist of common findings frequently identified during assessments.

As shown in the table below, there are six Finding Categories: