SECURITY TESTING KNOW HOW 2: PENETRATION TESTING
SECURITY TESTING KNOW HOW 2: PENETRATION TESTING
In the previous installment of this series, D4n6 talked about the many forms of Vulnerability Scanning and how it all leads up to Penetration Testing. In our complex environment of IT systems, we cannot rely simply on the fact that such systems are secure based on our scanners, audit results and vulnerability analysis. That is where we need penetration testing; a rigorous and proactive approach in actively finding and demonstrating vulnerabilities in IT resources.
A penetration test, commonly referred to as pen test or ethical hacking, is a simulated cyberattack on a computer system authorised by the organisation itself, performed to evaluate the security of the system by actively exploiting vulnerabilities. The organisation would typically appoint a third party they trust to act as a hacker into their systems in order to identify any weaknesses, with the aim of improving preparedness in the case of a real-life attack. Most commonly pen testing is used for Web Application testing such as a website, content management systems, e-commerce platforms or against an internal company network to simulate an external adversary attack on said network.
There are 5 common types of testing methodologies for penetration testing:
External Testing – simply targets the assets and resources or the company that is visible on the world wide web like web applications, company website or e-mail and DNS (domain name servers). The aim of this test is to try to gain access and extract data from an outside adversary perspective.
Internal Testing – simulates a so-called Insider Threat scenario where either a malicious insider (employee) or an attacker with the stolen or lost credentials of an employee or sub-contractor tries to extract data from the same applications. This type of test is useful to uncover any company control environment deficiencies.
Blind Testing – or commonly known as Black Box penetration testing is when the tester is only given the name of the organization or target IP of an asset and must gather or map all required information, vulnerabilities and weaknesses by himself before executing an attack. This is useful as it is simulating a real-life scenario where an attacker might have no knowledge beforehand on the company systems. The results will show company exposure onto the world wide web, vulnerabilities and inadequate security configurations. The company’s incident management and cyber teams are informed that they are under a blind test.
Double Bling Testing – is very similar to Blind Testing with the only difference being that the incident management and security teams are not informed prior to the attacks but typically only one or two people in senior management would have authorised the exercise. This way the results will also show preparedness and reaction capabilities of the cyber teams involved as well as the detection rate of automated systems.
Targeted Testing – is a scenario where the penetration tester and the security team both work together in a way to pro-actively build up an attack-response scenario. This is a useful training exercise and provides great feedback and learning experience, but it does not simulate real-life attacks.
Apart from the black box, we can also distinguish the level of information the penetration tester receives and can talk about white box or grey box penetration tests. In a white box testing scenario, full disclosure is given to the tester on the network topography of the organisation whilst in the grey box pen test only partial knowledge of the system or enterprise is provided.
With a mix of testing methodologies and knowledge levels, different scenarios can be tested, and a company can identify control deficiencies or vulnerabilities.
The outcomes of a penetration test can be extremely valuable to fine-tune security configurations, vulnerability scanners and to shift focus on patch management to exploitable systems. As seen above in Double-Blind Testing it also tests your IT, cybersecurity and incident management teams to a great extent and provides them with much-needed experience and training to fend of future attacks.
A continuous penetration testing with a mix of methodologies will also greatly enhance any organisation’s Business Continuity Plans, Disaster Recovery efforts and Incident Response preparedness as well as tweak downtime times in the case of cyber-attacks. It has become common practice for many organisations today to address major vulnerabilities in their systems by conducting regular pen tests and acting upon the feedback provided at the end of such tests. Working with many clients over the years we have seen the effectiveness of such test for identifying weaknesses in networks, which could not have been otherwise identified by vulnerability assessment or security audits alone.
We cannot emphasize enough that cybersecurity is a complex and multi-faceted discipline, and penetration testing is surely one of the core activities which should be factored into annual plans and budgets by each organisation, scaled to their needs and size.
In our next editions in this series, we will talk more about strategies like Threat Hunting and compare what we have talked about so far, to assist you further in building your security testing portfolio.
Not sure what pen testing you require and how to get started? D4n6 conducts penetration testing exercises as well as training for security personnel. We are teamed up with professional partners around Europe to carry out penetration testing on any aspect of an organization. Feel free to reach out to any member of our team HERE so we can guide you on this process.