At its core, real Penetration Testing is testing to find as many vulnerabilities and configuration issues as possible in the time allotted, and exploiting those vulnerabilities to determine the risk of the vulnerability.
This does not necessarily mean uncovering new vulnerabilities (zero days), it’s more often looking for known, unpatched vulnerabilities. Just like Vulnerability Assessments, Penetration Testing is designed to find vulnerabilities and assess to ensure they are not false positives. However, Penetration Testing goes further, as the tester attempts to exploit a vulnerability.
This can be done numerous ways and, once a vulnerability is exploited, a good tester will not stop. They will continue to find and exploit other vulnerabilities, chaining attacks together, to reach their goal. Each organization is different, so this goal may change, but usually includes access to Personally Identifiable Information (PII), Protected Health Information (PHI), and trade secrets. Sometimes this requires Domain Administrator access; often it does not or Domain Administrator is not enough.
External Penetration Testing will simulate an attacker targeting Internet facing systems that are connected to internal resources such as database extracting data or installing back-doors for a later use, in most cases that attacker would do both (see diagram). This penetration testing will include three main ways into a given system: (1) open services on servers. (2) Network devices such as routers, and Firewalls. (3) Find weakness within Web Application retrieving sensitive information by using code injections and other methods. Within each method we search for human-errors in the design and/or implementation, and/or user miss-configurations that can pose potential weaknesses. These weaknesses can be later exploited to deface website, upload files, obtaining access to user’s mailbox and obtaining administrative rights.
Internal Penetration Testing will simulate an attacker that has a foot hold in the internal perimeter (see diagram). This penetration testing will include three main ways into a given system: (1) open services on servers and workstations. (2) Find and locate systems defaults, security updates and etc. (3) Find databases that may have sensitive information due to vulnerabilities, updates, miss-configuration targeting internal resources such as servers, workstation, storage devices and other devices gaining unauthorized access to said systems.
To set up a consultation, call us today at (603) 488-6600
There are three methods to perform above penetrations: Automated, manual and hybrid
Automated: Using set of tools that can simulate different types of attacks, this type has three major advantages: (1) it’s fast (2) lower costs (3) will get the low hanging fruits. There is one major disadvantage: cannot “see” unexpected systems behavioral by using “fuzzing” techniques that can later be used to create other types of attacks such as buffer overflow & other types of code injections.
Manual: In this case using tools that are configured & written every time differently, so testing is done deeply, this method has one major advantage: getting more weakness that an attacker may find and exploit. There is one major disadvantage: takes longer time with higher costs.
Hybrid: This method takes the best from both methods; getting the low hanging fruits faster plus other hidden attack vectors using the manual method at reasonable cost.
Who needs a penetration test?
Some governing authorities require it, such as SOX and HIPAA, but organizations already performing regular security audits internally, and implementing security training and monitoring, are likely ready for a penetration test.
PENETRATION TESTING WORK FLOW
- Planning and Reconnaissance
- Gaining Access
- Maintaining Access
- Analysis and Reporting
Penetration testing is usually rolled into one big umbrella with all security assessments. A lot of people do not understand the differences between a Penetration Test, a Vulnerability Assessment, and a Red Team Assessment, so they call them all Penetration Testing. However, this is a misconception. While they may have similar components, each one is different and should be used in different contexts
How Does This Compare to a Vulnerability Assessment
What is a Vulnerability Assessment?
A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
A Vulnerability Assessment Should include the Following
- Catalog assets and resources
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
A penetration test usually follows a vulnerability assessment.