about the overall health of your organization.
Some organizations feel they need to perform most pent because they have to comply with regulations, satisfy auditors, or because the board of directors asks for it, even when they do not see the need for most pent. To secure buy-in within the organization, planning ahead to make sure the pentest produces a useful result is necessary. To do so, the organization should:
+ Dedicate appropriate time and budget for the test
+ Clarify the proper scope of work, what are target IT systems or assets to be tested, what key findings are expected from the pentest outcome
+ Understand when to do it - run regularly/annually to maintain the security posture, or to check new systems before they go into production
+ Finally, dedicate engineering resources to fix or mitigate vulnerabilities found during the pentest
Adequate preparation not only saves time and money but also guarantee the test will give the useful and actionable results.
Types of Penetration Testing
The type of penetration testing to be conducted depends on the scope and requirements in the pre-engagement step. In general, there are three types of pentesting
: Black Box Pentest, White Box Pentest and
Gray Box Pentest:
Black Box Pentest
box penetration test, the tester has no knowledge
of the target that he is going to test. This type is considered external
test since pentesters
have no information about the system, they will use various information gathering techniques and skills such as social-engineering and analysis to perform the attack. This is often used to simulate what an outside attacker could accomplish when targeting a system. Black box pentest
often takes a lot of time and requires more resources compared with the other two pentests
White Box Pentest
box penetration test, the tester has full knowledge
of the internal structure of the organization’s system, their network infrastructure, source codes, and their applications. This pentest
is opposite from black box penetration test. This type of test is also called a glass box test due to the full visibility that the testers will have. The pentesters
will not need to perform information gathering since most of this information is provided, which will allow them to perform a comprehensive attack and easily discover vulnerabilities, configuration flaws and
loopholes based on the source codes, and diagrams that have been provided. This is often used to simulate an attack from inside the organization - from a disgruntled employee or an outside attacker who has already gained access to the foothold in the target.
Grey Box Pentest
In grey box penetration test, tester has partial knowledge of the system that he is going to attack, which is somewhat between a black box and white box penetration test. Pentesters are given credentials, application flows, network architecture and diagrams to conduct the penetration test. However, they won’t have full knowledge of the scope such as the inner workings of the system (e.g. applications used, versions). The pentesters also performs information gathering and scanning before performing the attack. This is often used to simulate an attack that is done by an outside attacker who had gained knowledge of an organization’s network infrastructure document and access to their employee accounts.
Penetration Testing vs. Vulnerability Assessment
Many people are usually confused about the differences between Penetration Testing and Vulnerability Assessment.
In our previous blog post, we have noted that Vulnerability Assessment is a systematic approach of identifying, quantifying, and ranking vulnerabilities with the combination of automated and manual scan. It is a non-intrusive approach aiming to produce a prioritized list of security vulnerabilities of one organization.
Penetration testing, on the other hand, is an attempt to exploit identified security weaknesses to gain access into the IT infrastructure and applications of the organization. It is an intrusive approach to exploit the security weaknesses in the organization.
The difference between vulnerability assessment and penetration testing is that the former helps us discover and list security vulnerabilities in organization's system but does not exploit them. The latter goes as far as possible within the scope of contract to demonstrate how dangerous security vulnerabilities are in a real cyber attack. Although these two approaches serve different purposes, they are often used together to provide a comprehensive picture of the security loopholes that exist in the IT system and infrastructure, and how they will be affected.
Comparison Table between Penetration Testing and Vulnerability Assessment
|Vulnerability Assessment||Penetration Testing|
|Types of Reports||Prioritised list of vulnerabilities categorized by criticality for remediation||Specific information of what data was compromised and vulnerabilities exploited|
|Purpose||Identify security vulnerabilities in a system that may be exploited||Determine whether a system can withstand an intrusion attempt|
Stages of Penetration Testing
Our services adhere to the Penetration Testing Execution Standards and we have divided our penetration testing procedure into 7 steps as shown below:
Figure 2. The Penetration Testing Execution Standards (source: infosec)
The first step is Pre-engagement, which is the step taken before the pentest begin. In this step, we will engage with our clients to ensure that everyone is aligned towards the same goals for the pentest. This stage is when we ask and gather requirements from our client, such as the scope of pentesting (what actions are allowed and/or not allowed, what types of penetration testing our client wants), contact information (who to inform when we encounter something serious), etc. Finally, we will include a nondisclosure agreement clause in our contract to keep the penetration test and any findings confidential.
The second step is Information Gathering
, to look into available sources of information, also known as gathering open source intelligence (OSINT), we will start searching around on the Internet to have a gist on what information is published out there on the Internet, and using tools such as port scanners to identify internal systems.
The third step is Threat Modeling, which will make use of the information we have gathered on the two previous phases to devise plans of attack. This will allow us to simulate a real cyber attack. For example, if the client is running a healthcare service, attacking to the web application where personal data is received for registration could affect the client greatly, such as theft of patients’ information, which could be modified and used for malicious purposes (identity theft).
The fourth step is Vulnerability Analysis, when we actively interact with the client system so that we can identify as many vulnerabilities as possible. This stage includes using scanning tools to list vulnerabilities that are present in our client’s system. We then perform manual analysis (where we pass various inputs to the application and record responses) to verify the vulnerabilities (such as injection, remote code execution) identified. Now we are ready to exploit.
The fifth step is Exploitation, when we attempt to access the client’s systems by using various tools against the vulnerabilities we have discovered.
The sixth step is Post-Exploitation, when the pentests truly begin to answer the questions “What next?”, “Does it mean much for the client if we have broken into an unpatched legacy system that isn’t a main part of a domain?”, “Does it mean much if we cannot prove how damaging it can be if attackers could gain access to our client’s system?”, “So what next after we have exploited the system successfully?” This is the step where we look around our client’s systems for interesting files, attempt to access where sensitive files are stored by escalating our privileges etc. We might also dump password hashes to attempt to access other machines/systems or launch an DOS attack to other parts of the system. Based on the scope defined in the pre-engagement step, we may restrict our action against sensitive and fragile system (SCADA for example), which can be done by placing a dummy flag in the critical zones (in database server, OPC server), so that any simulated attack will avoid the parts that have been designated as out-of-scope.
The final step is Reporting,
when we will convey our findings to our client. A comprehensive report will include what our client is doing correctly and what need
to be done to improve the security posture, depict the pathways in which we successfully exploited the system, what information we have found, and most importantly, solutions to resolve the identified vulnerabilities.
Figure 3. An example of our conducted vulnerability analysis, it shows the ports and their vulnerabilities of our client.
In conclusion, Penetration Testing should not be overlooked, as it could help your organization prioritize risks that need to be remediated first, and save time dealing with security problems after they have occured. It also provides an in-depth analysis of your security posture, and provide ways to secure it before the attackers have a chance to exploit the vulnerabilities. Combining with Security Audit and Vulnerability Assessment, they will keep your organization’s assets healthy and secured.