Penetration Testing is an authorised simulation of an attack on a system network, or application where certified and ethical hackers are engaged to identify potential vulnerabilities that can be exploited.
what is Penetration Testing?
Penetration Testing is about executing security specific tests against the organisation’s resources, using manual and automated techniques. These resources can be internal or external of the organisation, like Mobile applications/Web Applications, APIs or Active Directory.
The objective of the penetration test is to identify any misconfigurations or security vulnerabilities, which could be exploited by an attacker, where they can gain unauthorised access to an organisation’s resources. The vulnerabilities are then ranked based on that perceived risks, likelihood and impact.
For black box penetration testing, the tester will have no/limited knowledge of the application, systems, network or policies and access to the environment. This helps to identify vulnerabilities within a system that are exploitable from outside the network, where it simulates the real-life attack scenario by an offshore attacker. However, a downside to this would be that the time spent by the tester might not be fully maximised and some vulnerabilities in the internal system might be missed out.
For white box penetration testing, tester will have an initial access and knowledge to the environment. This can be obtained through privileged account access, source code or architecture documentation etc. There will be a full knowledge of the relevant target, where the tester can identify the potential points of vulnerabilities. It provides a comprehensive assessment of both internal and external vulnerabilities. However, the testers may have the information that are not available to attackers, where they might miss out vulnerabilities that an attacker with limited information would exploit.
For grey box penetration testing, it is a hybrid between the black and white box testing, where tester have partial knowledge of the target. It provides a good balance between effort and comprehensiveness.
Here Is A General Outline Of A Penetration Test
1. Planning And Reconnaissance
An initial meeting to understand your needs in terms of penetration testing objectives/goals and to discuss the right level of testing (white, gray, black box) for your organisation. This will determine the scope of the test, logistical requirements such as IP whitelisting, user accounts, Architecture Design documents and to address any limitations such as time frame or Rules of Engagement.
2. Threat Modelling
Upon completion of the Rules of Engagement (ROE) document, Privasec will perform a technical validation of the scope and environment that comprised of the target area for the review.
This is to gain information about the possible attack vectors for threat modelling. where the assets and processes that could be targeted by attack and the potential impact on the company.
3. Exploitation and Testing
Privasec will conduct the actual manual exploitation of the attack vectors identified earlier and via the course of assessing the target area in scope. This is to determine the exploitability and extent of damage of which an attacker can cause from the exploitation of the attack vectors.
The exercise will be conducted in accordance with Privasec’s Penetration Testing methodology, which references multiple industry recognised frameworks (i.e OWASP Top 10, NIST and etc) and the extent of exploitation will be based on the ROE discussed earlier.
An example of vulnerability according to OWASP Top 10 is a successful exploit on broken authentication. This would allow an attacker to compromise admin level credentials and make changes to the system therefore compromising the Confidentiality, Integrity and Availability (CIA) of the system
A practical report that details and prioritise the identified vulnerabilities along with its impact and remediation guidance is drafted and discussed with the client. This is to ensure that all false positives are removed, and risk ratings provided are appropriate taking into considerations the business need and existing controls.
5. Verification Re-Tests To Ensure Your Fixes Have been Implemented Correctly
One round of retest will be performed once after appropriate risk management is done on the findings raised in draft report. If this is not required, the report will be released as “final”. The final report will be issued with updates on the retested findings.