While everyone may be tired of hearing, it’s not if you’ll be breached, but when, it’s the reality of our current environment. Breaches are exploding in scale and scope, and with the availability of malware-as-a-service, it’s no longer just individual lone hackers trying to get in. It’s a thriving business. One that’s incredibly organized and highly profitable.
As such, part of your cybersecurity defense strategy should include assessing the strength of your defenses against hackers. How? Using penetration testing, where a trained “white-hat” hacker tries to exploit your network much like the bad guys do.
A penetration test (pen test) is an ongoing cycle of research and attack against a system, application, or network. It’s a multi-step process that needs to be performed by an expert. The basic goals are to:
- Identify vulnerabilities through footprint analysis and/or reconnaissance;
- Penetrate vulnerable systems, services, and/or applications using both automated and manual tools; and
- Gain access to systems and/or sensitive data.
The Internet Security Glossary defines a vulnerability as a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy (RFC 2828). Vulnerabilities are typically a result of:
- Unpatched software;
- Developer mistakes in custom software – e.g., not using secure coding techniques or leaving credentials in the comments of the production version of a software; or
- Insecure configuration, such as using weak or default passwords.
An exploit is the use of software, data, or commands to take advantage of a vulnerability to carry out some form of malicious intent.
Let’s run through the basic methodologies of the different types of pen tests. You’ll see that while they all have similar features, there are some distinctions, and each type answers a different question in regards to your cybersecurity defenses.
What information could a hacker obtain if they successfully breach your network perimeter?
That’s what an external network penetration test tries to uncover. Before any testing begins, the pen tester should perform a footprint analysis and other reconnaissance. This involves identifying publicly available information about the organization and the network, including network ranges, IP addresses, and domain / hosts names. Part of the reconnaissance may include looking for email addresses of key players in the organization (IT Manager, CFO, etc.) that could be used during the exploit phase. Sage pen testers will also look at repositories of stolen data to see if any of the client’s data is there, which would be evidence of a previous breach, or provide details about the target network that may be helpful to an attacker.
Next, a vulnerability scan is completed to identify known vulnerabilities, and more research is done to verify the scanned results. Then comes the exploitation phase, where the pen tester tries to exploit the identified vulnerabilities. The objective may be to gain control or “own” a system or network; verify that control could be gained; or simply verify access to information.
What could happen if an attacker makes it behind your firewall? Or if an insider attempts to gain unauthorized access to information resources?
These are the questions answered during an internal network penetration test, where the pen tester tries to achieve an agreed upon goal (e.g., obtaining domain administrator access, gaining access to a particular system or repository of sensitive data, or the ability to monitor network traffic). The scenarios used and goals should be established prior to the assessment starting. The methodology for an internal pen test differs from an external pen test because the tester is already “in” the network. The pen tester may be provided user level credentials to simulate what would happen if a user's account is compromised (or if a malicious insider perpetrates an attack). Alternatively, the pen tester may have to find a way to compromise credentials.
Once an initial set of credentials is compromised, the pen tester attempts to escalate his / her privileges until they have achieved the goals of the scenario chosen. An internal pen test may include a vulnerability assessment, but it does not have to.
What could happen if a hacker attacks your website or published web application?
A web application penetration test can help answer this question. The goal is very similar to that of an external network pen test: to identify vulnerabilities in the web application itself; identify vulnerabilities in related devices; and then gain access to the systems and / or sensitive data. When people think about web application testing, they foremost think of having their public website tested. While that is definitely important, there are many other web applications that should be considered for testing, including: customer / user portals, support sites, employee portals, custom web sites, web services, web based email systems, SSL VPN solutions, etc.
The methodology is also very similar to an external network penetration test. You start out by doing reconnaissance to identify publicly available information about the application. Next comes site mapping to identify functionality and areas of attack. Input fields, such as blog comments, contact forms, login fields, etc., present avenues for attack, so the penetration test should map out all the pages, parameters, and the overall attack surface of the application as part of the engagement.
The testing can be conducted from an authenticated or unauthenticated user perspective. An automated scan of the web application is often included; however this type of testing requires a significant manual effort to be most effective.
What could happen if an attacker attacks your mobile application?
This is what a mobile application penetration test can tell you. The attack surface for this kind of test can include the mobile application and / or the backend infrastructure that services the application. The goals are to identify vulnerabilities in the mobile application and identify vulnerabilities in any backend web services / infrastructure of the application, and then gain access to the systems and / or sensitive data, if possible.
Reconnaissance identifies publicly available information about the application itself. A network penetration test is performed against the backend infrastructure and the web application / services that support the mobile app are subjected to a web application penetration test.
Why Pen Test?
Penetration testing is an important part of your cybersecurity program and can help inform your cybersecurity strategy. Simulating real world attacks in a safe, controlled manner will help validate your existing security controls, assess the adequacy of intrusion detection and response systems, and help you identify weaknesses in need of improvement.
At Sage, we base our penetration testing methodologies on a number of frameworks / guidance manuals, to include:
- PCI Data Security Standard – Penetration Test Guidance
- Penetration Testing Execution Standard (PTES) Technical Guidelines
- Open Source Security Testing Methodology Manual (OSSTMM)
- Open Web Application Security Project (OWASP) Top 10
- Open Web Application Security Project (OWASP) Mobile Top 10.
In addition, Sage’s cybersecurity professionals bring highly-skilled expertise to each unique engagement through specialized training in security testing disciplines. Continuous education is a fundamental element of ensuring quality testing and Sage personnel maintain several professional credentials including, but not limited to:
- Offensive Security Certified Professional (OSCP)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Exploit Researcher and Advanced Penetration tester (GXPN)
- Offensive Security Advanced Windows Exploitation (AWE)
- Offensive Security Wireless Professional (OSWP)
- Certified Information Systems Security Professional (CISSP)