The Sage Advice Guide to

Penetration Testing

Uncover your Vulnerabilities before an Attacker Does.

When we ask information security professionals what keeps them up at night, many times they say, “What I don’t know.” It’s no surprise – with reports of breaches on an almost daily basis, it’s impossible to ignore that there are a lot of hackers out there trying to get into networks wherever they can, with tools and techniques that are constantly evolving.

That’s why it’s important to be diligent about assessing your network security from the perspective of a hacker. And the best way to do this is through a penetration test (pen test). The Sage Advice Guide to Penetration Testing will provide you with the fundamental information you need to know in order to effectively incorporate this important practice into your security defense arsenal. Here's what we'll be covering... Click below to jump to a specific section, or keep just keep scrolling!

GET THE GUIDE NOW!  Download Sage's Guide to Penetration Testing and learn how to uncover your network cybersecurity vulnerabilities before an attacker does.

sage-advice-guide-to-penetration-tests-image

GO TO DOWNLOAD

lock-with-holePart 1: What is a Pen Test?

A pen test is used to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities through an ongoing cycle of research and attack against a system, application, or network. The basic goals are to:

  1. Identify vulnerabilities on systems / applications in scope;
  2. Penetrate vulnerable systems, services, and / or applications using automated and manual tools and analysis; and
  3. Gain access to systems and / or sensitive data.
It’s a simulated cyber-attack that can be conducted from an internal or external (Internet) perspective.

“Although there are many ways to secure systems and applications, the only way to truly know how secure you are is to test yourself. By performing penetration tests against your environment, you can actually replicate the types of actions that a malicious attacker would take, giving you a more accurate representation of your security posture at any given time.”

-- SANS Institute InfoSec Reading Room

Part 2: Why Perform a Pen Test?

id-vulnerabilities-and-weaknesses

Identify vulnerabilities and
weaknesses.

check-the-effectiveness-of-existing-security-controls

Check effectiveness of existing
security controls.

meet-regulations-and-compliance-standards

Meet regulations and compliance standards.

prioritize-mitigation-and-remediation

Prioritize mitigation
and remediation.

assess-intrusion-detection-and-response-systems

Assess intrusion detection and
response systems.

 confirm-publicly-available-networks-and-systems

Confirm publicly available
networks / systems.

Part 3: Who Should Perform a Pen Test?

When it comes to pen tests, the experience, training, and expertise of the pen tester is directly linked to the value the results will provide you. Continuous education is a fundamental element of ensuring quality testing and there are several professional credentials for pen testers.

EXAMPLE OF PROFESSIONAL CREDENTIALS

Pen testers also need to stay up-to-date on threats and vulnerabilities by constantly consuming the latest threat intelligence.

Return to Top ⇑

GET THE GUIDE NOW! Download Sage's Guide to Penetration Testing and learn how to uncover your network cybersecurity vulnerabilities before an attacker does.

 sage-advice-guide-to-penetration-tests-image

GO TO DOWNLOAD

Part 4: How to Perform a Pen Test: The Sage Methodology

At Sage, each cyber assessment engagement is customized to meet unique goals and objectives, therefore the specific elements of our methodology that are leveraged is contingent upon the level of testing and defined scope. The following is an accounting of the potential testing phases and their respective individual elements:

footprint-analysis-and-reconnaissance.png


FOOTPRINT ANALYSIS / RECONNAISSANCE

Typically the first step, this entails searching various publicly available sources for detailed company-specific information. This allows us to identify target systems and provides information that may prove useful in an attack.

system-service-and-vulnerability-identification.png


SYSTEM, SERVICE, AND VULNERABILITY IDENTIFICATION

In this phase, a variety of specialized security tools are used to identify the architecture and vulnerabilities. The goal is to identify systems / devices that respond to authorized and unauthorized requests, the services / applications that those systems are providing, and inherent and / or potential vulnerabilities.

exploitation.png


EXPLOITATION

Here we attempt to gain unauthorized access to systems and / or information utilizing the vulnerabilities identified in the previous phase. Once we gain access to systems / information, we report the finding and move on in an attempt to find additional vulnerabilities.

reporting.png


REPORTING

In this final phase, we generate an executive summary and a technical report that explains the findings, provides customized remediation recommendations, and, if available, includes details on repeating the attack scenario.

INDUSTRY GUIDANCE FOR PENETRATION TESTING

Our methodology is continuously engineered to meet evolving best practices and is informed by several standardized approaches including:

Part 5: Types of Pen Tests

Let’s run through the basic methodologies of the different types of pen tests. You’ll see that while they all have similar features, there are some distinctions, and each type answers a different question in regards to your cybersecurity defenses.

external-pen-test

What information could a hacker obtain if they successfully breach your network perimeter?

Following the typical pen test methodology, the pen tester will identify vulnerabilities and try to gain control or “own” a system using a combination of automated tools and manual techniques.

At Sage, we customize the level of engagement that will satisfy the unique needs of an organization.

internal-pen-test

What could happen if an attacker makes it behind your firewall? Or an insider attempts to gain unauthorized access to information?

An internal pen test differs from an external pen test because the pen tester is already “in” the network.

The tester may be provided user level credentials or they may have to find a way to compromise credentials. Then they attempt to escalate those privileges until they have achieved the agreed upon goal.

web-app-pen-test

WEB APPLICATION PENETRATION TEST

What could happen if a hacker attacks your website and / or published web applications?

Testing is performed on websites or other web applications including: customer / user portals, support sites, and employee portals.

It can be conducted from an authenticated or unauthenticated perspective. User testing roles and associated privileges are assigned beforehand (e.g., administrator). This type of testing requires significant manual effort for the most effective results.

mobile-app-pen-test

MOBILE APPLICATION PENETRATION TEST

What could happen if an attacker attacks your
mobile application?

The attack surface for this kind of test can include the mobile application and / or the backend infrastructure that services the application.

The goal is to review the mobile app and supporting infrastructure for vulnerabilities that could be the result of insecure configuration settings and data storage on the mobile device itself; or in the web services / infrastructure that supports the mobile application.

“Vulnerability assessments and penetration tests complement each other. In many programs, vulnerability assessments are the first step. From there, one can perform a penetration test to see how exploitable the vulnerability is.

Misunderstanding these important tools can put your company at risk – and cost you a lot of money.”

-- CSO Online

Part 6: Pen Test vs. Vulnerability Assessment

There is a misconception that pen tests and vulnerability assessments are synonymous. It’s common to hear the terms used interchangeably. While both are critical components of a threat and vulnerability management process, they are very different engagements. It’s imperative you understand the differences between them, so you can select which is most appropriate at any given time.

objectives.png

OBJECTIVES

VULNERABILITY ASSESSMENT: Identifies known weaknesses in your environment. Findings may include unapplied patches, vulnerable software versions, and gaps in network controls. Primarily an automated assessment.

PEN TEST: Simulates a real-world attack and tests your existing defensive controls. Manual testing routinely finds vulnerabilities that automated vulnerability assessment tools are incapable of finding.

tools-icon.png

TOOLS

VULNERABILITY ASSESSMENT: Primarily performed using automated scanning tools such as Nessus, Qualys, or OpenVas, which are off-the-shelf software packages.

PEN TEST: Automated tools are leveraged for efficiency, however, the majority of this effort is manual and relies upon the skill-set and expertise of the pen tester.

deliverables-icon.png

DELIVERABLES / FINDINGS

VULNERABILITY ASSESSMENT: Typically a stock report listing all known vulnerabilities found during the scan, prioritized by severity and / or criticality with remediation recommendations.

PEN TEST: A more succinct report with vulnerabilities, ranked by severity with remediation recommendations, plus details on how an attacker could breach your defenses.

frequency-icon.png


FREQUENCY

VULNERABILITY ASSESSMENT: Ideal for periodic testing between pen tests and as a quick verification when changes are made to the environment.

PEN TEST: Should be performed at least annually and any time significant changes are made to the environment.

Learn more about the differences and which is right for your organization in our blog post,
What’s the Difference between a Penetration Test and a Vulnerability Assessment.

Return to Top ⇑

Part 7: Sage Pen Test Options

The scale and scope of a pen test engagement is a function of satisfying business obligations and understanding organizational risk tolerance. Sage works in a collaborative fashion to customize the level of engagement that will satisfy unique organizational needs. Our options, which are described below, also include a vulnerability assessment, which is primarily automated testing using a commercial network vulnerability scanner.

baseline-pen-test

BASELINE PEN TEST

Sage attempts to verify / exploit vulnerabilities identified
in the vulnerability scan.

We test for default credentials on any common systems / software found. Default passwords are a common and easily exploited attack.

Ideal for budget-conscious organizations with developing cybersecurity programs that would like to get a basic understanding of their external security posture.

comprehensive-pen-test

COMPREHENSIVE PEN TEST

Building on to what is offered at the baseline level, this test includes manual attack techniques, open source intelligence gathering, and target environment specific research / testing.

A limited amount of unauthenticated web application testing against commonly used applications is also included.

This option is best suited for compliance-driven organizations and high-value targets such as financial institutions and healthcare organizations.

 

In recent years, 80% of all high vulnerabilities and 46% of all vulnerabilities that Sage reported in pen tests were found due to the manual techniques that are incorporated into the Comprehensive Pen Test.


Return to Top ⇑

Part 8: Elements of an Effective Pen Test

independent-analysis-separation-of-duties

 

INDEPENDENT ANALYSIS / SEPARATION OF DUTIES

Information security best practices call for independent testing for several reasons. First, cybersecurity specialists have the latest, most sophisticated technologies and the most current information on exploits. Also, internal teams may see things during tests that should trigger a response, but get ignored because they know the idiosyncrasies of their IT infrastructure — a common but dangerous mistake.

research-and-reconnaissance

 

RESEARCH & RECONNAISSANCE

Determining the appropriate scope, defining an effective methodology, and establishing a practical blend of automated vs. manual testing are critical components of an effective pen test. Before any testing begins, the pen tester should have a clear picture of the unique environment. This knowledge is gained through research and reconnaissance.

security-expertise-and-training

 

SECURITY EXPERTISE & TRAINING

A skilled pen tester looks at the vulnerabilities found during a scan, then using research, validates that the vulnerabilities are accurate, and determines how to best take advantage of them to gain access to the system. Having the skill-set to understand the orchestration between what the automated tool reports and how to manually exploit findings is how value is derived from a pen test.

actionable-insight

 

ACTIONABLE INSIGHT

When testing is completed, you need to have actionable findings and effective remediation recommendations. This allows you to prioritize your subsequent remediation process according to your most critical vulnerabilities. After all, what’s the point of going through the time and effort unless you’re committed to improving your network security posture?

GET THE GUIDE NOW! Download Sage's Guide to Penetration Testing and learn how to uncover your network cybersecurity vulnerabilities before an attacker does.

sage-advice-guide-to-penetration-tests-image

GO TO DOWNLOAD

Part 9: 10 Tips to Reduce Common Vulnerabilities

While it seems that today’s cybercriminals have a myriad of tricks and techniques at the ready to gain access to your network, the reality is that they are typically taking advantage of common vulnerabilities – such as unpatched software or default passwords – time and time again. That’s why establishing a regular process for finding those vulnerabilities that put you at risk – over and above your annual pen test – is a critical part of your cybersecurity program. Here are the top 10 things you can do between pen test engagements to reduce your risk of being breached. 

01


Run regular vulnerability scans.

02


Patch software regularly.

03


Minimize local administrator privileges.

04


Configure systems securely, e.g., in accordance with the Center for Internet Security Guidelines.

05


Practice secure network engineering, e.g., network segmentation to limit access to systems / information.

06


Enforce a password policy and use dedicated password managers.

07


Change default passwords on all applications and appliances.

08


Ensure all devices have unique local administrator passwords.

09


Use secure software development practices.

10 


Have working and tested backups of key systems / data.

CYBER ASSESSMENT WITH SAGE

Determining the appropriate scope, methodology, and practical blend of automated vs. manual testing is a critical piece of an effective penetration test. With over a decade of experience, Sage delivers concise, actionable findings and effective remediation recommendations. Plus, our knowledgeable security experts are available to interpret findings and support you on follow-up issues.

Learn more >>