Introduction to Penetration Testing
Anyone that has worked in network security domain or information security domain can probably give you an answer. A penetration test is a permissive incursion on a computer system, web application or any network device. It is a simulated assault on your network, software, and computer. The attack is performed to bypass the security of the system and to find access points to both data and any privately stored information. Penetration tests (Pen test) can evaluate both the strengths as well as weaknesses of either a single computer system or an entire organizational network of devices.
Penetration Testing Methodologies
There are three methodologies used in penetration testing: black box, white box, and grey box testing.
Black box penetration testing: It is the execution of a penetration test without any prior knowledge or collected information about the organizational systems in question. Black box testing simulates a series of actions often Undertaken in real-life cyber attacks on an organization.
White box penetration testing: It is the exact opposite of a black box test. With white box, information is gathered from public or open sources before a penetration test. White box testing is often performed internally prior to and immediately after a developer releases new code or updates to a system. Grey box testing is a combination of both white and grey testing methods.
Grey box penetration testing: It gives the testing team the functionality to test from each side of an application, to be precise, the presentation side and the code itself. Grey box pen testing is widely accepted as the most effective method and it is most often used by the security experts. If you hire a third-party penetration service provider to audit your network, they are likely to use grey box testing.
What can be analyzed by penetration testing?
Simply put, everything that is connected to your network. If you have a device that communicates with other devices by using either the internet or an intranet, then it can be tested. Penetration testing is certainly not limited to hardware alone. The software remains a key focus. Outdated and careless coding has led to the demise of more than one IT professional. Web applications have moved to the forefront of technology in the past few years. And with the rapid development of new apps for both phone and web leading to an increase in attack surface, they have become a prime target for the actors with malicious intent, or as we generally say, the hackers.
OWASP and Penetration Testing
In the context of penetration testing, the steps recommended by OWASP are widely accepted. We, at Breachlock, follow the same standard for testing applications. The steps prescribed by OWASP are discussed below.
Step 1 Planning and Investigation: In this step, we determine the scope of the project. This stage not only determines the systems to be scanned but also the testing methods to be utilized for finding exploits.
Step 2 Scanning: In this stage, we use both static and dynamic analysis to find weaknesses. Static analysis tests the code and attempts to predict how it will behave once it is compiled, executed, and implemented. The dynamic analysis examines the system in real time. Dynamic analysis is the most practical way to a penetration test considering that the results are observed as opposed to assumed. Both forms of analysis are used in conjunction to thoroughly gain insights into the threat environment of an organization.
Step 3 Implementing exploit or gaining unintended access: In this stage, we attempt to use specific attacks such as SQL injection, cross-site scripting, and broken authentication to gain access and acquire data.
Step 4 Setting a permanent state of access: We attempt to establish a permanent backdoor so that access to the system is maintained but it remains hidden from the wary administrator’s eye.
Step 5 Reporting and data analysis: Report prepared under this stage details the specific exploits attempted and those that were successful. We list out the data that was accessed as well as other potential risks to the data. We also provide a list of remediation steps that the customer can implement.
Step 6 Retest: Once the organization has had time to read the report from the previous step and integrate patches, updates, and fixes, we then run a retest to ensure that the exploits are no longer useful and all the suggestions have been implemented.
Contents of our Penetration Testing Report
Following bullet points lay down a basic structure that we follow while drafting our penetration testing report.
- Executive Summary
- Confidentiality and Disclosure
- Definition & Table of Contents
- Purpose and Scope of Work
- Project Objectives
- Summary of Findings
- Penetration Testing Methodology
- Findings in detail
- Risk Evaluation
- Recommendations for Mitigation
- References & Appendices
The idea of conducting a penetration test matches with an old age saying – prevention is better than cure. Number of devices within an organizational premise is increasing exponentially and with the attack techniques of an attacker getting sophisticated than ever, it becomes vital for an organization to minimize the chances of a targeted attack being successful. Since a penetration tester assumes the role of an attacker, conducting penetration tests has now become a necessity.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019