What is Penetration Testing?
Penetration testing is an advanced way to test your website or network’s security performing simulated external attacks known as “pentests“. Penetration testing is an extension of a vulnerability scanning, and an organization’s greater vulnerability management program.
The penetration testing process begins with consultation between the target organization and the penetration tester to define a scope of engagement; set a list of targets that are allowed to be attacked, and define the rules of engagement (ROE). In the the second stage of the pentesting process, information is gathered, including passive and active information gathering techniques. This gathered information is then used to create a list of endpoint targets and service attack surfaces. After the information gathering process, the collection of information is analyzed and correlated to identify any vulnerabilities and attack vectors.
In a vulnerability scan, the vulnerabilities are immediately built into a report an provided to the target organization so they can remediate them. This makes sense because the identification of a commonly acknowledged vulnerability is enough to warrant fixing the issue. Actual exploitation of the vulnerability is usually not necessary and is in fact a waste of valuable time and resources. The exception to this rule is when management want evidence that the security posture is poor, and perhaps want to calculate the estimated amount of damage that could have been incurred by the weak security configuration. However, even when all the identified vulnerabilities have been remediated, there is still some residual risk.
That’s where penetration testing steps in. By continuing the process of security awareness and continuing to test security controls with more in depth and complex attempts to exploit the target assets, the security posture can be tested more extensively and stronger assurances are provided.
Pentests can be categorized as white-box tests, in which pentesters are provided information about the environment being tested, or as black-box tests in which no information is provided by the target organization except for the limitations of the test, known as the “rules of engagement” (ROE).
Penetration tests can be defined as either external or internal from both the attack position and the type of threat actor involved. From the attack position perspective, simulated attacks are initiated from outside the organization’s network via the internet and are directed at assets with public-facing IP addresses, and internal scans are initiated from inside a private network and directed at endpoints on the local area network (LAN). An internal scan can also refer to a pentest that is done from within a local account on an endpoint itself.
From a threat actor perspective, internal refers to members of an organization such as managers, staff, and even IT department employees, and external refers to those who are not members of the organization such as malicious nation-state hackers, hacktivists, customers, or users. Penetration testers can also be given access credentials to privileged accounts to simulate more advanced stages of a cyber-attack and test the ability of defensive security teams to respond, known as “credentialed tests”. Selecting a specific type of penetration test allows granular control over what aspect of an organization, network, or system is being verified.
Why Should Organizations Get A Penetration Testing Service?
Penetration testing will reveal vulnerabilities that otherwise would not be discovered through other means such a vulnerability scan. The manual, human analysis means that false positives are filtered out. Furthermore, it demonstrates what access can be gained, as well as what data may be obtained through attempting to exploit vulnerabilities discovered in the way that a real world attacker would. This effectively demonstrates the real risk of a successful exploitation given each vulnerability used to gain access.
Penetration Testing will also test an organizations cyber-defences. It can deployed to test the effectiveness of web applications firewalls (WAF), intrusion detection systems (IDS), and Intrusion prevention systems (IPS). When a penetration test is underway, these systems should automatically generate alerts and trigger the organizations internal procedures resulting in a response from internal security operations teams.
Who Needs Penetration Testing and Why Do They Need It?
Organizations with an online presence, web or mobile application, or connected digital infrastructure should perform penetration testing. A penetration test should be performed on any type of connected, and even non-connected technology after implementation or development, and prior to its go-live phase. This may include a new web or mobile application, network infrastructure, or hardened kiosk client. It is also recommended to perform a penetration test on a periodic basis and also after changes are made as new vulnerabilities are discovered over time and need to be identified and validated as to how they can be exploited or chained with other vulnerabilities to gain access to a target.
Also, organizations that require to meet compliance standards such as PCI-DSS v.3.0 requirement 11.3 where penetration testing is required on an annual basis or after any significant change also need to perform penetration testing.
What Are The Types of Penetration Tests?
Following is a summary of each type of penetration test which all follow different methodologies and utilize different frameworks.
Web Application Penetration Test – These tests focus on the various vulnerabilities found in web application components; including frameworks, server software, API’s, forms, and anywhere where user input is accepted.
Mobile Application Penetration Test – A mobile penetration test focuses on trying to exploit how a mobile application accepts user input, how securely it is stored on the phone, how securely data is transmitted across the internet, as well as all the web service vulnerabilities which may be present in the API.
External Infrastructure Test – Checks for ports open on all externally facing ranges, attempts are made to fingerprint and exploit services discovered as well as bypass authentication mechanisms and brute force VPN gateways.
Internal Infrastructure Penetration Test – This will be an attempt to get full system administrator privileges from within the internal network. Checks are done to search for vulnerable services and software, and exploits are used to obtain access. Network traffic is normally sniffed whilst ARP poisoning is executed in order to capture credentials and other sensitive traffic in transit.
Wireless Penetration Testing – At a high level, this involves attempts to crack WEP and WPA encryption in order to obtain access. Other attacks such as Man in the middle (MitM) attacks are attempted, as well as tricking wireless clients into connecting to a dummy access point.
End point / Kiosk PC Penetration Test – These penetration tests attempt to break out of a kiosk PC or other locked down device and gain elevated privileges or access to sensitive data that should otherwise not be accessible.
How Does RSC Approach A Penetration Test?
Understand Business Requirements – This is the most important part of the engagement. You must have a clear understanding of why the customer requires the penetration test? Is it good practice driven? Part of a new launch? Or compliance driven? The answers to these types of questions will be the dictate how the rest of the engagement is approached.
Define Scope – Define what is in scope and what is specifically out of scope. There also needs to be a clear definition of what is allowed and what isn’t allowed in the rules of engagement.
Review Past Threats and Vulnerabilities – Although It is generally good practice to perform a review on what was previously discovered in a penetration test, it is also mandatory as part of PCI requirement 11.3. This review allows you to specifically focus on things that were identified previously and make sure those same issues have either been remediated or not arisen again.
Get Authorization – The actions performed during a penetration test would normally be considered illegal without prior authorization. This can land you in some legal hot water unless you have your “Get Out of Jail Free” paperwork signed off. A good template to use as an example is here: http://www.counterhack.net/permission_memo.html.
Agree on Timing – There may be certain times in an organisation where the risk of interference or downtime is considered a higher consequence; such as periods of high utilization or when project implementations and upgrades are taking place. Because of this, make sure you agree on an acceptable time window to perform the penetration test.
Whitelist Source IPs – The target organization of a penetration test should be notified of the source IPs from where you will be performing the test from. There are a number of reasons for this, but in order to properly perform a penetration test without interference from a WAF or an IPS, you should request that your source IPs are whitelisted on such appliances.
Confirm internal contacts available – It’s important that you agree on a communication plan and on who your internal contacts will be within the organization to be available during the penetration test. This is not only so you can get them to support you during the testing process, but it’s also a good idea to notify the target organization immediately if a vulnerability is discovered that you deem to be ‘Critical”.
RSC Penetration Testing Framework
Briefly, the penetration testing process begins with consultation to define a scope of engagement; set a list of targets that are allowed to be attacked, and also to set limitations known as ‘rules of engagement’ such as when to communicate and report any findings and results. The start of the process is also a good time to set goals and priorities for the pentest, which may be determined by any regulation guidelines, standards, or compliance targets. The scope and goals of the pentest will impact the later stages such as which information is gathered, which vulnerability scans are conducted, how extensively exploits are pursued, and finally how vulnerability mitigation and retesting is done.
The Ripple Software Consulting Penetration Testing Framework is an outline of the process that every penetration test includes. This framework is useful for clients to firstly, gain a good understanding of what will be happening behind the scenes, and secondly, will serve to inspire clients to ask questions about the penetration testing process and improve the value. You can download a sample penetration test here.