[DE]Penetration Testing Theorie #4 by security101

View this thread on: hive.blog | peakd.com | ecency.com

deutsch · @security101 · Oct 22 '18

$13.59

[DE]Penetration Testing Theorie #4

In dieser kleinen Serie möchte ich eine kurze Einleitung zur theoretischen Vorgehensweise von Penetrationstests geben. 
Aufgeteilt ist diese Serie in folgende Beiträge:
- #1 <strong>[Was ist Penetrationtesting, Schutzziele, Täterprofile](https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-1)</strong>
- #2 <strong>[Klassifikation von Penetrationstests](https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-2)</strong>
- #3 <strong>[Phasen eines Penetrationstests](https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-3)</strong>
- #4 <strong>Bewertung von Schwachstellen</strong>
<sup>
Diese Serie ist nicht vollständig und soll lediglich einen groben Überblick geben. Bei offenen Fragen zu einem Thema beantworte ich diese natürlich gerne in den Kommentaren oder schreibe einen weiteren Beitrag !
</sup>
![#4_DE.png](https://cdn.steemitimages.com/DQmTSiUQtayifgLnZFdirdoYh7pomHEgUnLKY8aAEeBMWPY/#4_DE.png)
---
Nachdem wir im Rahmen unseres bisherigen Penetrationstests Schwachstellen gefunden haben, werden diese nun bezüglich ihres Risikos bewertet. Anhand dieser Risikobewertung können Entscheidungen zum weiteren Vorgehen getroffen werden.  Wie Beispielsweise eine Priorisierung der zu schließenden Sicherheitslücken.

Das Risiko setzt sich hierbei aus der Eintrittswahrscheinlichkeit sowie dem potentiellen Schadensausmaß zusammen.
Dies könnte, wie in dieser beispielhaften Risikomatrix dargestellt, wie folgt aussehen:
<center>
![risikomatrix.png](https://cdn.steemitimages.com/DQmPawtriQCCmJvETN6BuHrV2MAmYgmicJfkXFVmnYuvEFF/risikomatrix.png)
[Quelle](http://www.linux-magazin.de/ausgaben/2013/08/risikoanalyse/3/)
</center>

Eine weitere Möglichkeit ist es die Schwachstellen mittels des CVSS zu bewerten, was ich im Folgenden kurz darstellen möchte.

### CVSS 
<center>
![cvss_web.png](https://cdn.steemitimages.com/DQmdkdYea3asJ7aUSwjenRWeXwBQzR7NXgj3h4A2BXnMHhW/cvss_web.png)
[Quelle](https://www.first.org/cvss/identity/)
</center>

CVSS (Common Vulnerability Scoring System), aktuell in Version 3 ermöglicht es, Sicherheitslücken in Computersystemen standardisiert zu bewerten. Hierfür existieren drei Gruppen von Metriken die aufeinander aufbauen. Die Gruppe "Base" beschreibt die intrinsischen Qualitäten einer Schwachstelle. Dies ist also eine Grundsätzliche und allgemein gültige Einschätzung. In der Gruppe "Temporal" fließt zusätzlich die Entwicklung der Schwachstelle im Laufe der Zeit ein. Abhängig von der Umgebung in der getestet wurde, können entsprechende Parameter in der Metrik "Environmental" angepasst werden. Die "Base" Gruppe bildet also die Basis, die anschließend noch ergänzt werden kann.

Folgende Attribute werden bei der Berechnung des Base Score berücksichtigt und entsprechend des englischen Ausdrucks abgekürzt.
- Angriffsvektor (AV)
- Die Komplexität des Angriffes (AC)
- Benötigte Privilegien (PR)
- Interaktion durch den Nutzer (UI)
- Der Scope (S)
Sowie die Verletzung der Schutzziele:
- Vertraulichkeit (C)
- Integrität (I)
- Verfügbarkeit (A)

Jede Gruppe wird durch einen Score dargestellt.
Der Score kann einen Wert zwischen 0 und 10 annehmen womit sich folgende Abstufungen von Schwachstellen kategorisieren lassen <sup>[S. 16][1]</sup>

| CVSS-Score  | Risikoklasse |
|-------------|--------------|
| 10,0 - 9,0  | Kritisch     |
| 8,9 - 7,0   | Hoch         |
| 6,9 - 4,0   | Mittel       |
| 3,9 - 0,1   | Gering       |


Neben dem Score als Zahl lässt sich eine Schwachstelle durch einen Vector-String darstellen. Im komprimierter Form können so alle Informationen eingesehen werden.
Ein beispielhafter Vektor sieht folgendermaßen aus: 
> CVSS3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Was die einzelnen Abkürzungen und Werte bedeuten kann über [dieses Online-Tool](https://www.first.org/cvss/calculator/3.0) eingesehen werden, mit dem man sich diesen Vector bzw. den Score auch erstellen kann.







----
#### Quellen
- <strong> [1] - [CVSS Spezifikation](https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf):  Aufgerufen am 22.10.2018
---

<center>
https://steemitimages.com/0x0/https://i.imgur.com/NLy7ba1.png

Vielen Dank fürs Lesen. Fragen beantworte ich wie immer gerne in den Kommentaren :)

</center>

👍 therealwolf, holm, happymoneyman, bobsrepair, nateaguila, intrepidphotos, thenightflier, seer, davidpakman, simonpeter35, bestbroplayer, litrbooh, arshikhan, watwrongwitunews, poojakum, littleboy, fedesox, swissclive, abdulmanan, huch, stayoutoftherz, free999enigma, johnny-appleseed, superledger, bumper, louis88, mistywind, meherin, stephen.king989, walterjay, miti, i-d, detlev, pi5000, morethancrypto, scottweston, sulev, brothermic, fricibacsi, homeartpictures, lauch3d, steem-id, allfabeta, mxzn, codingdefined, spreadfire1, ligit, softmetal, mynaturebody, eliel, sergiomendes, jerrycheung, coffeex, teamvn, andrejcibik, shitsignals, makerhacks, alao, obvious, liberty-minded, kwakumax, chuadanga, park.bom, fancybrothers, and 138 others

`author`	security101
`permlink`	de-penetration-testing-theorie-4
`category`	deutsch
`json_metadata`	{"tags":["deutsch","it-sicherheit","risikobewertung","penetrationstest"],"image":["https://cdn.steemitimages.com/DQmTSiUQtayifgLnZFdirdoYh7pomHEgUnLKY8aAEeBMWPY/#4_DE.png","https://cdn.steemitimages.com/DQmPawtriQCCmJvETN6BuHrV2MAmYgmicJfkXFVmnYuvEFF/risikomatrix.png","https://cdn.steemitimages.com/DQmdkdYea3asJ7aUSwjenRWeXwBQzR7NXgj3h4A2BXnMHhW/cvss_web.png","https://steemitimages.com/0x0/https://i.imgur.com/NLy7ba1.png"],"links":["https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-1","https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-2","https://steemit.com/deutsch/@security101/de-penetration-testing-theorie-3","http://www.linux-magazin.de/ausgaben/2013/08/risikoanalyse/3/","https://www.first.org/cvss/identity/","https://www.first.org/cvss/calculator/3.0","https://www.first.org/cvss/cvss-v30-specification-v1.8.pdf"],"app":"steemit/0.1","format":"markdown"}
`created`	2018-10-22 21:40:39
`last_update`	2018-10-22 21:40:39
`depth`	0
`children`	6
`last_payout`	2018-10-29 21:40:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	10.402 HBD
`curator_payout_value`	3.183 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	4,227
`author_reputation`	1,496,739,907,691
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	73,844,952
`net_rshares`	11,828,927,100,622
`author_curate_reward`	""

properties (23)vote details (202)

voter	rshares	pct
steem-id	90,439,905,206	100%
olyup	59,182,155,435	100%
alao	69,710,089,140	100%
sulev	117,107,529,419	100%
litrbooh	227,390,698,347	100%
stephen.king989	154,594,655,129	100%
lasseehlers	23,197,708,480	100%
freeinthought	43,194,807,994	100%
sergiomendes	74,342,869,734	100%
park.bom	60,324,548,152	100%
seer	250,786,688,318	100%
walterjay	143,619,626,433	100%
fricibacsi	103,179,107,572	100%
homeartpictures	95,590,005,124	100%
shafay	21,507,639,177	100%
chrissysworld	52,002,955,054	100%
raja	27,754,549,694	100%
distantsignal	49,914,335,554	100%
cgame	55,967,316,567	100%
maninayton	49,984,408,608	100%
samhamou	19,367,693,080	100%
fronttowardenemy	39,325,631,012	100%
libertyranger	43,433,045,251	100%
maurocostarica	19,986,123,324	100%
detlev	129,580,674,817	100%
liberty-minded	69,585,078,659	100%
waphilip	52,130,074,854	100%
thelordsfinest	10,603,764,807	100%
thenightflier	251,182,421,498	100%
holm	283,804,867,460	92%
jo3potato	18,099,223,380	100%
eliel	76,577,926,234	100%
fullofhope	48,605,538,954	100%
greeksteemjesus	10,571,216,903	100%
mynaturebody	76,738,742,470	100%
thewealthunit	48,747,931,978	100%
mxzn	87,742,826,606	100%
kouloumos	38,131,775,019	100%
ligit	78,141,689,127	100%
brothermic	103,823,866,921	100%
kwakumax	65,582,509,234	100%
limnade	30,450,452,592	100%
spirits4you	56,975,146,087	100%
allfabeta	87,960,091,346	100%
jstajok	13,195,560,876	100%
mackcom	7,478,731,647	100%
ccoin	10,960,265,932	100%
fancybrothers	59,845,637,818	100%
znaffe	17,527,901,509	100%
simonpeter35	236,620,577,447	100%
codingdefined	85,463,682,089	100%
happymoneyman	278,557,684,682	100%
shitsignals	71,356,815,095	100%
abdulmanan	192,056,054,249	100%
stayoutoftherz	187,670,138,588	100%
fishmon	93,426,754	50%
andrejcibik	71,563,328,442	100%
chetanpadliya	49,055,715,279	100%
hamzayousaf	57,266,056,207	100%
sthitaprajna	13,627,158,047	100%
arshikhan	221,012,527,206	100%
chrisdavidphoto	41,750,576,466	100%
free999enigma	181,538,329,615	100%
braxton101	45,091,699,023	100%
saadmehmood	11,031,907,621	100%
jerrycheung	72,576,166,628	100%
minnowhelperteam	38,147,424,255	100%
landonator	4,472,807,290	50%
synace	26,882,848,842	100%
therealwolf	376,989,079,642	39.23%
swissclive	196,013,570,997	100%
littleboy	204,473,658,009	100%
makerhacks	71,257,626,300	100%
scottweston	117,609,503,309	100%
davidpakman	248,538,470,061	100%
ankapolo	11,055,583,130	100%
miti	133,874,810,026	100%
fedesox	199,646,452,868	100%
lauch3d	90,551,376,814	100%
jjcali	32,234,861,148	100%
bigbraincciuto	12,005,478,625	100%
dpatcher	10,931,812,071	100%
freedomtowrite	9,497,129,048	100%
jahedkhan	7,014,504,659	100%
johnny-appleseed	169,370,394,367	100%
akshaykumar12257	31,033,772,496	100%
farukcom	37,159,918,495	100%
fitcuriousgeorge	154,761,045	25%
thisisethanlau	8,407,240,558	100%
meherin	160,448,275,710	100%
nathen007	9,661,586,497	100%
obvious	69,690,559,605	100%
bumper	163,784,179,682	100%
piszozo	18,329,398,538	100%
bobsrepair	269,202,269,163	100%
bestbroplayer	227,650,771,491	100%
sistem	10,348,575,863	100%
lulafleur	544,450,062	100%
intrepidphotos	264,462,570,554	100%
mehta	40,174,221,869	100%
dolphinscute	415,374,616	50%
diogosantos	9,574,974,734	100%
jona12	16,166,384,515	100%
legato	9,309,081,929	100%
coffeex	72,533,643,022	100%
justsomekid	13,844,789,338	100%
corazen	457,788,821	100%
lifeofroman	524,569,278	100%
pars11	11,539,809,355	100%
jesse12	35,405,393,788	100%
nane	18,751,898,069	100%
binislam0	31,100,741,980	100%
mdnazmulhasan	11,174,523,697	100%
fakhre2001	8,711,404,985	100%
tonkatonka	703,664,312	100%
degrimmis	419,456,097	100%
maxpatternman	28,939,049,212	100%
elektr1ker	2,559,254,268	100%
techchat	34,720,868,959	100%
thebluewin	9,709,876,733	100%
flugschwein	41,588,222,646	100%
sparkofphoenix	19,063,025,195	100%
danielplays	253,589,618	50%
artzanolino	34,008,796,640	100%
hellroute	18,939,798,495	100%
burstfire	556,776,912	100%
farhad3322	72,679,214	10%
nervi	54,534,792,478	100%
scottcbusiness	17,817,164,131	100%
jamiba	486,684,516	100%
tineschreibt	1,386,307,047	50%
huch	190,070,703,946	100%
mahyulmaulana	8,693,630,493	100%
betavirosis	206,666,269	100%
louis88	162,646,511,555	100%
selimz	12,034,408,275	100%
mr-elusive	55,283,330,154	100%
unversehrt	28,495,921,962	100%
misia1979	8,965,145,663	50%
quochuy	46,821,503,183	100%
reinaldoverdu	452,224,953	25%
beturrio	492,574,852	100%
jolugo23	346,953,170	100%
yonilkar	26,221,579,204	100%
moneyroad	10,336,663,532	100%
janisplayer	530,662,595	100%
sergionatera	448,258,772	100%
chuadanga	61,625,883,879	100%
hyipi	10,658,917,761	100%
softmetal	77,154,697,659	100%
i-d	133,049,320,855	100%
thomasmore	13,049,048,130	100%
spreadfire1	78,539,698,765	100%
nateaguila	268,896,998,892	100%
variola	50,304,836,277	100%
edward2000	492,876,564	100%
annemariemay	24,403,115,915	100%
vanessazune2	632,848,119	100%
superledger	167,619,089,455	100%
sidneychildsh	29,565,414,216	100%
jnkb07	9,917,195,093	100%
raybull	993,416,265	50%
steemeditor.bot	49,611,114,753	100%
wagongratified	516,567,646	100%
luis26	492,120,742	100%
veronika.ystin	517,064,533	100%
sergei.ilenkov	516,854,222	100%
pointingevasive	516,644,399	100%
killvrill	9,131,809,725	100%
kamrunnahar	19,870,352,125	100%
lizakotova	516,950,034	100%
watwrongwitunews	217,038,557,082	100%
poojakum	214,486,094,190	100%
stuttgart	52,610,982,278	100%
pi5000	122,098,411,735	100%
teamvn	72,410,421,435	100%
yormalis	489,365,730	100%
french-tech	7,951,682,449	100%
lauraguedez	491,594,034	100%
xavierg	491,605,136	100%
sinf.libertador	483,997,775	100%
ladyceleste	489,072,765	100%
mimismartypants	7,531,739,563	100%
voteyourcrypto	15,469,845,399	100%
mistywind	161,870,838,548	100%
angel15	485,458,871	100%
music.mari	489,634,593	100%
lilymusic	489,777,089	100%
angelforcello	488,818,152	100%
morethancrypto	121,527,868,625	100%
alb501	484,155,832	100%
definitelynotstu	7,040,108,099	100%
potex	519,434,247	100%
tedan	519,643,906	100%
canalea	240,655,225	50%
babyincin	11,718,496,252	100%
grexx	240,241,144	50%
sozialbank	828,013,111	25%
healthybrain	6,835,123,640	100%
mtga	8,631,362,001	100%
realself	14,233,671,555	100%
samsemilia7	430,675,900	100%

@janisplayer · Oct 23 '18

$0.06

Schaut Top aus, also gefällt mir.
Ich finde es immer gut, wenn jemand Personen erklärt, wie man sich vor Sicherheitslücken schütz und diese erkennt.

Posted using [Partiko Android](https://steemit.com/@partiko-android)

👍 security101

`author`	janisplayer
`permlink`	janisplayer-re-security101-de-penetration-testing-theorie-4-20181023t214943300z
`category`	deutsch
`json_metadata`	{"app":"partiko"}
`created`	2018-10-23 21:49:42
`last_update`	2018-10-23 21:49:42
`depth`	1
`children`	0
`last_payout`	2018-10-30 21:49:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.047 HBD
`curator_payout_value`	0.015 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	218
`author_reputation`	2,775,884,238,285
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	73,917,945
`net_rshares`	55,763,100,239
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
security101	0 B		55,763,100,239	100%

@janisplayer · Jun 29 '19

Schade einer meiner lieblings Tech-Blogs mit @Elektriker. :(
Ich dachte vielleicht wärst du noch aktiv.

Posted using [Partiko Android](https://partiko.app/referral/janisplayer)

properties (22)

`author`	janisplayer
`permlink`	janisplayer-re-security101-de-penetration-testing-theorie-4-20190629t050923050z
`category`	deutsch
`json_metadata`	{"app":"partiko","client":"android"}
`created`	2019-06-29 05:09:24
`last_update`	2019-06-29 05:09:24
`depth`	1
`children`	0
`last_payout`	2019-07-06 05:09:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	177
`author_reputation`	2,775,884,238,285
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	87,501,220
`net_rshares`	0

@steemitboard · Dec 2 '18

Congratulations @security101! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

<table><tr><td>https://steemitimages.com/60x70/http://steemitboard.com/@security101/votes.png?201812022252</td><td>You made more than 4000 upvotes. Your next target is to reach 5000 upvotes.</td></tr>
</table>

<sub>_[Click here to view your Board of Honor](https://steemitboard.com/@security101)_</sub>
<sub>_If you no longer want to receive notifications, reply to this comment with the word_ `STOP`</sub>



> Support [SteemitBoard's project](https://steemit.com/@steemitboard)! **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!

properties (22)

`author`	steemitboard
`permlink`	steemitboard-notify-security101-20181202t232911000z
`category`	deutsch
`json_metadata`	{"image":["https://steemitboard.com/img/notify.png"]}
`created`	2018-12-02 23:29:12
`last_update`	2018-12-02 23:29:12
`depth`	1
`children`	0
`last_payout`	2018-12-09 23:29:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	765
`author_reputation`	38,975,615,169,260
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	76,265,142
`net_rshares`	0

@steemitboard · Jan 6 '19

Congratulations @security101! You received a personal award!

<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@security101/birthday1.png</td><td>1 Year on Steemit</td></tr></table>

<sub>_[Click here to view your Board](https://steemitboard.com/@security101)_</sub>


> Support [SteemitBoard's project](https://steemit.com/@steemitboard)! **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!

properties (22)

`author`	steemitboard
`permlink`	steemitboard-notify-security101-20190106t145353000z
`category`	deutsch
`json_metadata`	{"image":["https://steemitboard.com/img/notify.png"]}
`created`	2019-01-06 14:53:54
`last_update`	2019-01-06 14:53:54
`depth`	1
`children`	0
`last_payout`	2019-01-13 14:53:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	502
`author_reputation`	38,975,615,169,260
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	77,964,658
`net_rshares`	0

@steemitboard · Oct 9 '19

<center>[![](https://steemitimages.com/175x175/http://steemitboard.com/@security101/level.png?201910082348)](https://steemitboard.com/@security101)
<center>@security101, sorry to see you have less Steem Power.
Your level lowered and you are now a **Red Fish**!</center>

**Do not miss the last post from @steemitboard:**
<table><tr><td><a href="https://steemit.com/steemfest/@steemitboard/the-new-steemfest-badge-is-ready"><img src="https://steemitimages.com/64x128/https://cdn.steemitimages.com/DQmRUkELn2Fd13pWFkmWU2wBMMx39EBX5V3cHBEZ2d7f3Ve/image.png"></a></td><td><a href="https://steemit.com/steemfest/@steemitboard/the-new-steemfest-badge-is-ready">The new SteemFest⁴  badge is ready</a></td></tr></table>

###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!

properties (22)

`author`	steemitboard
`permlink`	steemitboard-notify-security101-20191009t004611000z
`category`	deutsch
`json_metadata`	{"image":["https://steemitboard.com/img/notify.png"]}
`created`	2019-10-09 00:46:12
`last_update`	2019-10-09 00:46:12
`depth`	1
`children`	0
`last_payout`	2019-10-16 00:46:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	890
`author_reputation`	38,975,615,169,260
`root_title`	"[DE]Penetration Testing Theorie #4"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	91,365,479
`net_rshares`	0

@steemitboard · Jan 6 '20

Congratulations @security101! You received a personal award!

<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@security101/birthday2.png</td><td>Happy Birthday! - You are on the Steem blockchain for 2 years!</td></tr></table>

<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@security101) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=security101)_</sub>


###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!

properties (22)