Today we're more dependent on IT than ever before. We're more and more technology driven - and because of this, more and more sensitive data is being held.
Advancements in IoT and the Cloud mean this trend is only set to continue.
It's more crucial than ever that businesses protect their IT assets and their data.
The aim of a penetration test is not only to provide an organisation with a view of their security position but also to assess the would-be impact of a compromise.
How a Pen Test can help my business? A Pen Test:
- Aims to provide an organisation with a detailed view of their security position, by simulating attacks that could be conducted by real-world cyber criminals
- Highlights the weaknesses that could lead to security breaches
- Demonstrates real-world actual risk
- Demonstrates the potential consequences of these risks not being mitigated (as opposed to theoretical risk) thus allowing an organization to properly align its IT security strategy
Application Penetration Testing
- Focuses on web apps and usually refers to the exploitation of websites and the applications supporting them - usually this is to gain access to sensitive information or to use as a point from which to stage further attacks.
Infrastructure/Network Penetration Testing
applies to the exploitation of security flaws in the organisation's network and the entities on it;
- IOT devices etc
attackers would be looking to exploit:
- Poor/insecure password policies
- General lapses in sound security practice
- Unpatched systems
Physical and Social Engineering Testing
- Non-technical approaches
- Can be used together to expose weaknesses in an organisation's physical security
- Looks to expose the human element of a business to gain access to restricted areas or sensitive information
- Although commonly overlooked in IT security, compromises via these methods can be the most destructive of all. This type of testing can provide a rich learning opportunity for the organisation.
Black/White Box Testing
- White box test will usually have a very defined scope and the testing team will usually already have an idea of the inner workings of the organisation and all the entities in the scope of the test
- Can be used by companies to check for vulnerabilities such as a web app or a network.
- A “by any means necessary attack” using any and all of the types of attack listed above
- A truer representation of a simulated attack
- The tester will go through the full lifecycle with very little prior knowledge of the target
- Testers conduct in-depth research using publicly available information to form a picture of the organisation and build their attack vectors
- Gives the organisation of view of what it would be like to be targeted by a malicious entity
- Provides a rich learning opportunity
Vulnerability/Security Assessment versus Pen Testing
Much comparison is made between a Vulnerability/Security Assessment and a Pen Test.
A PenTest is a Vulnerability Assessment of sorts, however a Vulnerability Assessment is by no means a Pen Test.
The terms often seen as interchangeable, however while a Vulnerability Assessment provides an idea of where an organisation might be vulnerable, a Penetration Test goes several steps further and actually exploits these vulnerabilities to assess the potential impact.
Penetration Tests can also include additional attack vectors such as physical security breaches and social engineering techniques, eg, phishing campaigns
Life Cycle of a Penetration Test
- Penetration testers will conduct the full pre-engagement exercise with the customer
- Helps clarify the of the final goal for the tests
- Accurately scope the test in terms of time required
- Define any rules of engagement (e.g. systems that would be excluded from the testing)
- Non-disclosure agreements
Testing – Phases 1-5
Phase 1 - Reconnaissance
- The gathering of preliminary data or intelligence on the target in order for a suitable attack vector to be chosen
- Can be carried out:
- actively (in direct communication with the target) or
- passively (making use of publicly available information eg online)
Phase 2 - Scanning
Requiring the application of technical tools to gather further intelligence on the target. eg the use of a vulnerability scanner on a network.
Phase 3 – Gaining Access
A chosen attack vector is effectively put into play ie an exploit is run against a detected vulnerability on a target system.
Once access has been gained the test will look for further ways to increase their level of privilege and/ or pivot to different targets.
Phase 4 – Maintaining Access
Once a foothold has been gained the Penetration Tester may take steps to ensure that their access to the network or system remains reliable and repeatable in order to gain access to any reportable evidence.
Phase 5 - Housekeeping
Just as a real-world hack would wish to cover their tracks to avoid any retrospective detection of their actions, the Penetration Tester will take measures to ensure that any and all assets are returned to the state in which they were found, ie removing any tools that were used on a system and resetting any configuration changes.
Once a test has concluded and all evidence has been recorded and collated, a comprehensive report will be submitted.
This report will contain an Executive Summary of the issues that were encountered and also the positive aspects that were noted.
In the report will be a more detailed attack narrative:
- Describing Vectors, Tools and Steps used
- Details of how any vulnerabilities were exploited, and where it led
- Comprehensive listing of other critical vulnerabilities detected
- Recommendations for mitigation
Penetration Tests demonstrate real-world risks and the potential consequences of these risks not being mitigated.
This allows an organisation to properly align its IT security strategy and it can help IT decision-makers allocate budget appropriately by showing where priorities in terms of IT security should lie.
Conducting a Penetration Test shows an organisation's commitment to cyber security by being willing to look deeply in to where improvements can be made.
For information about Penetration Testing or to speak to a Chess Specialist about our services call 01284 788 900, or download our Buyer's Guide to Penetration Testing Services.