Penetration Testing or Pen Testing is a technical review of your systems, your processes and sometimes your people. Penetration Testing is carried out to uncover vulnerabilities, threats and risks that an attacker could exploit in software applications, networks or web applications.
Penetration Testing can be called many things. We commonly see pentest, pentesting and PENtest. They are all the same thing.
Vulnerability scanners are automated tools that examine an environment, and upon completion, create a report of the vulnerabilities uncovered. These scanners often list these vulnerabilities using CVE identifiers that provide information on known weaknesses. Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each individual IT environment. This is where penetration tests come in.
While vulnerability scans provide a valuable picture of what potential security weaknesses are present, penetration tests can add additional context by seeing if the vulnerabilities could be leveraged to gain access within your environment. Pen tests can also help prioritize remediation plans based on what poses the most risk.
Penetration Testing is important for a number of reason, but there are six primary reasons that you should adopt a penetration testing program.
1. Identify your risks;
2. Manage your vulnerabilities;
3. Maintain proactive security;
4. Check your security program is working;
5. Increase confidence in your security; and
6. Maintain regulatory compliance.
You have a blog article on this very topic titled Why is Penetration Testing Important.
This is one of the most critical steps in ensuring success in your penetration test. The Pre-Engagement is where we work together to define the scope, and the goal of the test rigorously. We do this through a scoping call, and you can book these at a time and date convenient to you.
During the scoping call for your penetration test, we are looking to identify exactly what needs testing, how complex it is and how much time we will need to use to complete the penetration test to the best of our capability. We will also look to identify the goal of the penetration test. The goal could be as simple as “identify all the exploitable vulnerabilities”. It could be a lot more complex such as “pivot through an exploited host and attack the internal network to gain access to client data.”
Having a well defined scope is the key to the success of your penetration test. This is why we can never answer the question of “how much is a penetration test” until we have had a call to discuss your penetration testing scope.
The second step in a penetration test is Intelligence Gathering, and it is a two step process. The first step is, at Hedgehog anyway, done in the background normally a week before your test start date. The vast majority of the intelligence gather phase is performed by automated scripts. The scripts are typically used within a penetration test too, for more targeted needs. Essentially we are looking to gather as much information about your business and your penetration test scope as we can from available public sources.
During the second part of the intelligence gathering phase, we will review the output from step 1 and any documents or information you have provided us. This is typically done the day prior to your penetration test starting. We will scour the internet, and to an extent, the dark webs, to identify any further information or data that could be beneficial to your test. The typical documentation we are looking for includes system architecture, data flow, infrastructure, concepts, password hashes, names, identities etc.
What is the purpose of this? Well imagine if we were to find the companies internal information in a forgotten bit-bucket somewhere? This could be used in the penetration test to help gain access to systems. Equally, it will help identify any potential client information left exposed. It all goes to helping complete the most comprehensive penetration test available to you and ensure a positive return on your investment.
The reconnaissance phase of every penetration test builds on the Intelligence Gathering stage through the use of active, in-depth technical review of the scoped environment. We will delve into each of the systems/applications in scope to identify the component structure and map all of the points of interaction.
This part of penetration testing is vitally important to the success of the test. We will look to identify every point of interaction that a user can have with a system, application or target. We will identify the technologies used and whether there are any easy wins that can be identified. This is done through port scanning, passive information analysis, mapping and analysis. The goal if this phase is for our penetration testers to understand the scoped environment in its fully extent.
Vulnerability Analysis is the most time-consuming aspect of every penetration test. Vulnerability Analysis starts with a series of reviews of the scoped environment using various vulnerability scanning tools. We typically use a number of scanners and tools to aid in the rapid analysis of vulnerabilities. Our primary tool for vulnerability analysis is Secure, our in house developed vulnerability scanner. Secure uses a number of internally developed processes as well as commercial scanners including Nessus, OpenVAS and NeXpose.
The output from the vulnerability analysis phase is the identified of known vulnerabilities. Every one of these vulnerabilities is then manually reviewed and validated. Once the automated scans are complete and the vulnerabilities confirmed, the tester then moves on to attempting to find unknown vulnerabilities manually. With Web Application testing, the bulk of the time is spent in manual vulnerability analysis. Unknown vulnerabilities are commonly known as zero days and these can exist in many different areas of the scope. This is why the vulnerability analysis is the most time consuming.
The exploitation phase of the penetration test is where we take all the vulnerabilities we have identified and use them to try and reach the goal set out in the Pre-Engagement step. We review each of the vulnerabilities, identify any exploits available for use and perform exploitation in a safe and controlled manner.
In a Web Application penetration test, this might lead us to bypass authentication controls or use other users accounts. We may be able to access information that would usually be protected by session management and authentication and authorisation controls.
In an Infrastructure pen test, this might result in the tester being able to sniff passwords on the network or gain access to a server. The goal of exploitation is to work towards achieving the objectives of the test incrementally.
Once an exploit is successful, the entire pen test process restarts at Intelligence Gathering within the context of the exploited system or application. Exploitation testing can be extremely time consuming so it must be conducted in a very controlled manner.
During the post-exploitation aspect of the penetration test, your pen tester will be analysing all of the gathered data and the results of individual tests. The analysis includes categorising the detected vulnerabilities and prioritising them per the business and technical context. It is during this step that further testing needs are identified, and the tester will loop back and test or retest specific areas so that complete scope coverage is assured.
The very last stage of the penetration test is the summarisation of the testing and the drawing of a conclusion.
At the end of every engagement is a test report. The report details what was done, what was found, and what should be fixed. These may be:
Inadequate or improper configuration settings
Known or previously unknown software or hardware flaws
Operational gaps within business processes or technical controls.
A Penetration Test (also known as ethical hacking or a pen test) is an authorised hacking attempt, targeting your organisation’s IT network infrastructure, applications and employees. The purpose of the test is to identify security risks by actively attempting to exploit weaknesses in a controlled manner. Undertaking penetration testing allows you to proactively strengthen your organisation’s security practices.
High profile cybersecurity breaches regularly make national and even international news, and are often the result of a targeted attack. What is less well publicised are the more pervasive, lower profile breaches which are more opportunistic in nature and increasingly impact small and medium-sized organisations. This trend can be linked to the sophisticated way in which cyberattacks can now be automated and the introduction of new vulnerabilities resulting from the adoption of new technology and working practices (remote working and BYOD, such as laptops, tablets and phones).
In a rapidly changing technological landscape, organisations must not only keep pace with the speed of innovation, but also the resulting risks to information security.
A vulnerability scan is an automated, low-cost method for testing common network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.
A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.
Penetration testing and automated vulnerability scans both serve a purpose and both types of testing belong in a comprehensive vulnerability assessment program. Automated vulnerability scanning should be scheduled to run on a frequent basis, ideally at least weekly, with network penetration tests scheduled quarterly or when significant changes are planned to an environment.
Goals of a penetration test vary greatly based on the scope of review. Generally speaking, the goal of a penetration test is to validate the effectiveness of security controls designed to protect the system or assets being protected.
A Penetration Test should always document the goals of the project. Penetration Test reports and deliverables outline the expectations, scope, requirements, resources, and results.
A Penetration test should be performed for a variety of reasons. Most relevant regulatory standards require penetration tests are performed.
* Penetration testing can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
* Penetration testing can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
* Organisations, especially those acting as data custodians, are being required to have testing performed by their customers. Penetration testing can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
* Penetration testing is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organization. Results can be used as input into an on-going Risk Management process.
* Penetration testing allows companies to assess the security controls of potential acquisition targets. Most organisations preparing to acquire an organisation seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
* To support a breach investigation, penetration testing may tell an organisation where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
* Penetration testing allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
* Penetration testing serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.
Collaboratively, the scope of a penetration test should always be customised to suit the unique nature of the business. A variety of considerations, both internal and external to an organisation, impact and guide the scope of a penetration test:
* The nature of the business and types of products/services offered
* Compliance requirements and deadlinesGeographic considerations
* Organisational structure
* The organisation’s strategic plans
* Customer expectations, especially when an organisation acts as a custodian of that customer’s data
* The value of the company’s assets
* Redundancy in the environment that may impact sampling thresholds
* Network segmentation and connectivity
* The age of different components of the environment
* Recent or planned changes to the environment
All of these factors need to be discussed and understood to make sure that the scope is appropriate and to ensure that the testing is focused in the areas of the environment that warrant it.
The most common areas selected for penetration testing scope typically include external networks, internal networks, web applications, wireless networks, and employee security awareness (through social engineering). These are typically all performed as part of a single engagement, but differ in their testing approach.
Web Application Penetration Test: Based on the sensitivity or value of a web application, an in-depth review is appropriate. There are over 100 specific areas reviewed within each web application. Testing initially begins with conducting information gathering followed by testing configuration and deployment management, identity management, authentication, authorization, session management, data validation, error handling, cryptography strength, business logic, client side security, and other development language specific tests as appropriate. Our approach to assessing web applications provides a flexible framework for comprehensively identifying and evaluating technical vulnerabilities. Testing is typically performed with prior knowledge to ensure a deep understanding of the purpose of the application. Credentials are provided to facilitate a review not only from the perspective of an unauthorised user, but also to identify potential authenticated risks such as privilege escalation from an authorised user’s perspective.
External Network Penetration Test: External network penetration tests focus on the internet facing network as a whole. It begins with reconnaissance to identify potential targets. Any responding network, host, or service may be targeted as a potential entry point into the secured network. While web applications identified may be utilised to gain entry, network penetration testing goes much broader to explore any exposed service and the relationships between them. Vulnerabilities leveraged are pursued to exploit weaknesses and escalate privileges into the internal network.
Internal Network Penetration Test: Internal network penetration tests are very similar to external penetration tests with the exception of perspective. While an external penetration test is performed remotely to simulate an external attacker, an internal penetration test is performed internal to the network from behind the perimeter firewalls. The general approach is the same as an external penetration test, however the target systems and networks are very different. Performing onsite testing allows the penetration tester to target hosts not exposed externally such as file servers, user workstations, domain controllers, internal application servers, databases, and other connected devices.
Internal Wireless Penetration Test: Wireless penetration tests assess the adequacy of multiple security controls designed to protect unauthorised access to your wireless services. Testing analyses and attempts to exploit wireless vulnerabilities to gain access to private (protected) wireless SSIDs authorised for testing. Additional test scenarios may be performed, such as when guest wireless access is provided to visitors with expectations that access is limited in some way.
Social Engineering: Remote social engineering is a remote assessment performed under controlled conditions designed to validate the effectiveness of user security awareness and incident response processes. Testing includes leveraging a carefully crafted fictitious “malicious” website, email campaigns to targeted employees, phone contact, or through other customised attack scenarios. This is commonly performed shortly after security awareness training or education campaigns to validate their effectiveness.
Remediation Verification: Remediation verification testing validates identified vulnerabilities have been successfully remediated, providing independent confirmation that corrective measures have been implemented in a manner that prevents exploitation.
When a penetration testing provider is hired, the hiring company should expect that every penetration test team includes a dedicated project manager, a skilled and experienced test team, resource coordinator(s), and a point of escalation. The test team should include individuals with in-depth experience across multiple technologies including client platforms, server infrastructures, web application development, and IP networking. The individuals on the team should hold valid certifications relevant to their role such as Project Management Professional (PMP), Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP) or equivalent credentials.
When a network penetration test is being performed to comply with a regulatory requirement, additional experience or certification is required to ensure the approach is appropriate and the results are presented in the correct context. For example, a penetration test performed to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirement 11.3 is best delivered by individuals with PCI QSA and PCI PA-QSA credentials. Many skilled penetration testers also typically possess other technology certifications to demonstrate their knowledge and proficiency.
All testers are Hedgehog are either CREST CRT or TIGER QSTM qualified.
Once the penetration test is complete, the hiring company should receive pen test documentation in a report or deliverable detailing all of the findings, recommendations, and supporting evidence. The deliverable should clearly document the scope and boundaries of the engagement as well as the dates the pen testing was performed. Additionally, all detailed findings should be included in their technical format as well as summarised for non-technical audiences. The report should include:
* Detailed recommendations for improvements that clearly document observed vulnerabilities
* A discussion of the potential business impacts from identified vulnerabilities
* Specific instructions for remediating, including instructional references where appropriate
* Supporting evidence and examples
* A step-by-step and screen-by-screen walkthrough demonstrating any exploits to allow an organisation to understand and reproduce the scenario
* Executive and summary reports for non-technical audiences
Oftentimes, a separate deliverable is needed that is suitable for consumption by third parties seeking attestation that a network penetration test was performed. A qualified penetration test provider prepares these documents as part of the process when requested by an organization. All deliverables should be of high quality and reviewed with the customer to validate accuracy and ensure recommendations are well understood.