When we ask information security professionals what keeps them up at night, many times they say, “What I don’t know.” It’s no surprise – with reports of breaches on an almost daily basis, it’s impossible to ignore that there are a lot of hackers out there trying to get into networks wherever they can, with tools and techniques that are constantly evolving.
That’s why it’s important to be diligent about assessing your network security from the perspective of a hacker. And the best way to do this is through a penetration test (pen test). The Sage Advice Guide to Penetration Testing will provide you with the fundamental information you need to know in order to effectively incorporate this important practice into your security defense arsenal. Here's what we'll be covering... Click below to jump to a specific section, or keep just keep scrolling!
A pen test is used to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities through an ongoing cycle of research and attack against a system, application, or network. The basic goals are to:
When it comes to pen tests, the experience, training, and expertise of the pen tester is directly linked to the value the results will provide you. Continuous education is a fundamental element of ensuring quality testing and there are several professional credentials for pen testers.
At Sage, each cyber assessment engagement is customized to meet unique goals and objectives, therefore the specific elements of our methodology that are leveraged is contingent upon the level of testing and defined scope. The following is an accounting of the potential testing phases and their respective individual elements:
Typically the first step, this entails searching various publicly available sources for detailed company-specific information. This allows us to identify target systems and provides information that may prove useful in an attack.
In this phase, a variety of specialized security tools are used to identify the architecture and vulnerabilities. The goal is to identify systems / devices that respond to authorized and unauthorized requests, the services / applications that those systems are providing, and inherent and / or potential vulnerabilities.
Here we attempt to gain unauthorized access to systems and / or information utilizing the vulnerabilities identified in the previous phase. Once we gain access to systems / information, we report the finding and move on in an attempt to find additional vulnerabilities.
In this final phase, we generate an executive summary and a technical report that explains the findings, provides customized remediation recommendations, and, if available, includes details on repeating the attack scenario.
Let’s run through the basic methodologies of the different types of pen tests. You’ll see that while they all have similar features, there are some distinctions, and each type answers a different question in regards to your cybersecurity defenses.
What information could a hacker obtain if they successfully breach your network perimeter?
Following the typical pen test methodology, the pen tester will identify vulnerabilities and try to gain control or “own” a system using a combination of automated tools and manual techniques.
At Sage, we customize the level of engagement that will satisfy the unique needs of an organization.
What could happen if an attacker makes it behind your firewall? Or an insider attempts to gain unauthorized access to information?
An internal pen test differs from an external pen test because the pen tester is already “in” the network.
The tester may be provided user level credentials or they may have to find a way to compromise credentials. Then they attempt to escalate those privileges until they have achieved the agreed upon goal.
What could happen if a hacker attacks your website and / or published web applications?
Testing is performed on websites or other web applications including: customer / user portals, support sites, and employee portals.
It can be conducted from an authenticated or unauthenticated perspective. User testing roles and associated privileges are assigned beforehand (e.g., administrator). This type of testing requires significant manual effort for the most effective results.
What could happen if an attacker attacks your
The attack surface for this kind of test can include the mobile application and / or the backend infrastructure that services the application.
The goal is to review the mobile app and supporting infrastructure for vulnerabilities that could be the result of insecure configuration settings and data storage on the mobile device itself; or in the web services / infrastructure that supports the mobile application.
There is a misconception that pen tests and vulnerability assessments are synonymous. It’s common to hear the terms used interchangeably. While both are critical components of a threat and vulnerability management process, they are very different engagements. It’s imperative you understand the differences between them, so you can select which is most appropriate at any given time.
VULNERABILITY ASSESSMENT: Identifies known weaknesses in your environment. Findings may include unapplied patches, vulnerable software versions, and gaps in network controls. Primarily an automated assessment.
PEN TEST: Simulates a real-world attack and tests your existing defensive controls. Manual testing routinely finds vulnerabilities that automated vulnerability assessment tools are incapable of finding.
VULNERABILITY ASSESSMENT: Primarily performed using automated scanning tools such as Nessus, Qualys, or OpenVas, which are off-the-shelf software packages.
PEN TEST: Automated tools are leveraged for efficiency, however, the majority of this effort is manual and relies upon the skill-set and expertise of the pen tester.
VULNERABILITY ASSESSMENT: Typically a stock report listing all known vulnerabilities found during the scan, prioritized by severity and / or criticality with remediation recommendations.
PEN TEST: A more succinct report with vulnerabilities, ranked by severity with remediation recommendations, plus details on how an attacker could breach your defenses.
VULNERABILITY ASSESSMENT: Ideal for periodic testing between pen tests and as a quick verification when changes are made to the environment.
PEN TEST: Should be performed at least annually and any time significant changes are made to the environment.
The scale and scope of a pen test engagement is a function of satisfying business obligations and understanding organizational risk tolerance. Sage works in a collaborative fashion to customize the level of engagement that will satisfy unique organizational needs. Our options, which are described below, also include a vulnerability assessment, which is primarily automated testing using a commercial network vulnerability scanner.
Sage attempts to verify / exploit vulnerabilities identified
in the vulnerability scan.
We test for default credentials on any common systems / software found. Default passwords are a common and easily exploited attack.
Ideal for budget-conscious organizations with developing cybersecurity programs that would like to get a basic understanding of their external security posture.
Building on to what is offered at the baseline level, this test includes manual attack techniques, open source intelligence gathering, and target environment specific research / testing.
A limited amount of unauthenticated web application testing against commonly used applications is also included.
This option is best suited for compliance-driven organizations and high-value targets such as financial institutions and healthcare organizations.
Information security best practices call for independent testing for several reasons. First, cybersecurity specialists have the latest, most sophisticated technologies and the most current information on exploits. Also, internal teams may see things during tests that should trigger a response, but get ignored because they know the idiosyncrasies of their IT infrastructure — a common but dangerous mistake.
Determining the appropriate scope, defining an effective methodology, and establishing a practical blend of automated vs. manual testing are critical components of an effective pen test. Before any testing begins, the pen tester should have a clear picture of the unique environment. This knowledge is gained through research and reconnaissance.
A skilled pen tester looks at the vulnerabilities found during a scan, then using research, validates that the vulnerabilities are accurate, and determines how to best take advantage of them to gain access to the system. Having the skill-set to understand the orchestration between what the automated tool reports and how to manually exploit findings is how value is derived from a pen test.
When testing is completed, you need to have actionable findings and effective remediation recommendations. This allows you to prioritize your subsequent remediation process according to your most critical vulnerabilities. After all, what’s the point of going through the time and effort unless you’re committed to improving your network security posture?
While it seems that today’s cybercriminals have a myriad of tricks and techniques at the ready to gain access to your network, the reality is that they are typically taking advantage of common vulnerabilities – such as unpatched software or default passwords – time and time again. That’s why establishing a regular process for finding those vulnerabilities that put you at risk – over and above your annual pen test – is a critical part of your cybersecurity program. Here are the top 10 things you can do between pen test engagements to reduce your risk of being breached.
Determining the appropriate scope, methodology, and practical blend of automated vs. manual testing is a critical piece of an effective penetration test. With over a decade of experience, Sage delivers concise, actionable findings and effective remediation recommendations. Plus, our knowledgeable security experts are available to interpret findings and support you on follow-up issues.