"Penetration Testing" - Human Ingenuity to Uncover Security Gaps – a detailed article.
Updated: Jun 24, 2019
Today’s cyber-threat landscape is evolving at an alarming pace, and businesses are increasingly pressured by their stakeholders to protect themselves against data breaches such as DDoS attacks, Mirai, phishing and Ransomware. While organizations are constantly flooded with the latest and supposedly greatest tools and technologies, penetration tests remain one of the most popular and critical tools to strengthen your security defenses.
A penetration test is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as un-sanitized inputs that are susceptible to code injection attacks.
According to the official definition of the Payment Card Industry Security Standards Council (PCI SSC), the objective of a penetration test is to “identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components”. Penetration tests are simulated attacks in a controlled environment carried out by third-party security specialists who employ the same techniques as attackers located outside your infrastructure. The test will reveal if your servers or applications will resist hostile attacks and if the identified vulnerabilities can lead to further intrusion and exploitation.
Phrases Commonly interchanged (VA vs. PT) - There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different.
A vulnerability assessment simply identifies, and reports noted vulnerabilities, whereas a Pen Test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications and should occur from both outside the network trying to come in (external testing) and from inside the network.
What Does Penetration Testing Mean to a Business? –
A penetration test is a crucial component to network security. With massive & dangerous cyber-attacks happening these days, it has become unavoidable to not perform penetration testing on regular intervals to protect the information systems against security breaches.
Through penetration testing, security professionals can effectively find and test the security of multi-tier network architectures, custom applications, web services, and other IT components. These penetration testing tools and services help you gain fast insight into the areas of highest risk so that you may effectively plan security budgets and projects. Thoroughly testing the entirety of a business's IT infrastructure is imperative to taking the precautions needed to secure vital data from cyber-security hackers, while simultaneously improving the response time of an IT department in the event of an attack.
At a high level a penetration testing is mainly required because: -
To assist identify and remediating - Design and development errors, Poor system configuration, assessing unsecured network & open connections, Password related concerns enterprise-wide, User Input (SQL injection, buffer overflows, etc.) and Poor Risk Management practices to ensure that your business-critical data is not at the risk of exposure.
To Assure clients on the followed guidelines & practices as part of the software release cycle.
To secure financial, critical & other important data.
To identify security vulnerabilities in an application.
To identify Actionable remediation guidance.
To identify Gaps in information security compliance.
To identify the response time of your information security team, i.e. how long it takes the team to realize that there is a breach and mitigate the impact.
To discover loopholes in the system.
To assess the business impact of a data-breach or a successful cyber security attack.
To meet the information security compliance in the organization.
To implement effective security strategy in the organization.
To uncover the potential Human factors that can lead to security breaches. For e.g. like improper disposal of documents, leaving the documents unattended, coding errors, insider threats, phishing sites,etc.
Benefits of a Penetration Testing –
Uncover critical vulnerabilities in your environment - A penetration test (pen test) estimates the ability of an organization to defend its organization’s IT assets, applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Pen test results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems through executing regular and complete penetration testing.
Intelligently manage security risks based on their exploitability and its impact - Penetration tests provide a detailed overview of your organization’s exploitable vulnerabilities and includes actionable recommendations on how you can optimize your protection levels in the short-term, mid-term and long-term. Discovered vulnerabilities are listed in order of a) how easily they can be exploited and b) their impact on the organization in case of exploitation (most critical, less significant, and false positives). By following a so-called “risk-oriented prioritization” approach, information security executives will be able to prioritize these risks based on their criticality, plan their remediation efforts and allocate their security resources accordingly.
Service disturbances and Security breaches are expensive - Recovering from a security breach can cost organization millions of dollars in IT remediation efforts, customer protection and retention programs, reduced revenues, dropped employee output, discouraged trade associates and legal activities. Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before they lead to a security compromise and grind down customer loyalties.
Meet compliance with industry standards and regulations – Aregimented pen-test is your first step towards achieving compliance. All common compliance frameworks require annual as well as ongoing penetration testing (in case of system changes), be it ISO 27001, NIST, FISMA, GLBA, HIPAA, Sarbanes-Oxley or the Payment Card Industry Data Security Standard (PCI DSS). A complete report produced by the penetration testers can assist organizations in evading substantial penalties for non-compliance and let them illustrate required security control’s strength to auditors.
Preserve corporate image and customer loyalty - Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.
Keep executive management informed about your organization’s risk level - Now more than ever, executive management and the board of the directors want to be informed about how well protected their organization really is against cyber attacks. According to a study conducted, 34% of C-level executives are never updated about security incidents and only 23% are updated on annual basis – a worrisome development. While it is obvious that executives won’t have the time to review a penetration test report in its entirety, the executive summary and/or findings overview can provide them with valuable insights about their organization’s security posture in easy-to-understand, non-technical terms.
Penetration Testing Types -
Social Engineering Test - In this test, attempts are being made to make a person reveal the sensitive information like password, business-critical data, etc. These tests are mostly done through phone or internet and it targets certain help desks, employees & processes. Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt.
Web Application Test - Using software methods one can verify if the application is exposed to security vulnerabilities. It checks the security vulnerability of web apps and software programs positioned in the target environment.
Physical Penetration Test - Strong physical security methods are applied to protect sensitive data. This is generally used in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach. This test is not much relevant to the scope of software testing.
Network Services Test - This is one of the most commonly performed penetration tests where the openings in the network are identified by which entry is being made in the systems on the network to check what kind of vulnerabilities are there. It can be done locally or remotely.
Client-side test - It aims to search and exploit vulnerabilities in client-side software programs.
Remote dial-up war dial - It searches for modems in the environment and tries to login to the systems connected through these modems by password guessing or brute forcing.
Wireless security test - It discovers the open, unauthorized and less secured hotspots or Wi-Fi networks and connects through them.
Penetration Testing Approaches -
Black Box Penetration Testing - In this approach, the tester assesses the target system, network or process without the knowledge of its details. They just have very high level of inputs like URL or company name using which they penetrate into the target environment. No code is being examined in this method.
White Box Penetration Testing - In this approach, the tester is equipped with complete details about the target environment – Systems, network, OS, IP address, source code, schema, etc. It examines the code and finds out design & development errors. It is a simulation of internal security attack.
Grey Box Penetration Testing - In this approach, the tester has limited details about the target environment. It is a simulation of external security attack.
Manual Penetration Test - It’s difficult to find all vulnerabilities using automated tools. There are some vulnerabilities which can be identified by manual scan only. Penetration testers can perform better attacks on application based on their skills and knowledge of the system being penetrated. The methods like social engineering can be done by humans only. Manual checking includes design, business logic as well as code verification.
Penetration Testing – Methodology & Process -
Penetration tests are typically performed using manual and/or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other potential points of exposure.
The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment.
The penetration testing should be appropriate for the complexity and size of an organization. All locations of sensitive data; all key applications that store, process or transmit such data; all key network connections; and all key access points should be included.
Once vulnerabilities have been successfully exploited within a system, testers may use compromised systems to find other weaknesses that allow them to obtain higher and deeper levels of access to assets and data.
Information about security weaknesses that are successfully identified or exploited through penetration testing is typically aggregated and presented to IT and network system managers helping them make strategic decisions and prioritize remediation efforts.
Stages of a Pen-Test - The Pen-Testing process can be broken down into five stages.
1. Planning and reconnaissance - The first stage involves:
Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
2. Scanning - The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance.
3. Gaining access - This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access - The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
5. Analysis - The results of the penetration test are then compiled into a report detailing: -
Specific vulnerabilities that were exploited.Sensitive data that was accessed.The amount of time the pen tester was able to remain in the system undetected. This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
Plan-wisely to take most out of a Penetration Test – Every penetration test is eventually a cost and thus it has to be thought and planned wisely. It should be seen as an investment that is aiming to avoid damages from a real attack, that could data loss, image degradation, and much more. Here are six key thoughts to consider in order to make most out of a penetration test –
Which environment to choose for Pen-Test “the Production or Pre-production”? - Running a penetration test on your production environment i.e. under actual conditions of use with the last developments set up has a great advantage. However, to avoid any risks, I recommend performing it in an ISO-Production environment, which is an absolutely identical environment (designed, scaled, and configured) to the production environment. Doing a penetration test on the pre-production environment is also interesting, as it is very similar to the final environment. Tests will not touch services used by your users/customers. This is particularly appropriate for critical infrastructure, for which the data or system integrity is crucial. Finally, the important is to test the entirety of your online environment, as some environments -other than production- are accessible from internet. Those platforms can be vulnerable.
Staging the pen-testing before end of Product Development - Correcting flaws in the early stage is easier and takes less time (and is less expensive) as once the service is deployed. A first pen test provides a sound basis and the project keep growing in the right direction. Moreover, with the constant functionality evolution, we can hardly say that a project is “finished”. There will always be updates or patch to install, functionalities to add, changes in the development technologies, etc. It is recommended to run a penetration test at least for each new version or main new modification of your solution.
Pen-testing Company-wide Online eco-system - A penetration test challenges your web application (PC or mobile), the server configuration, webservices, API,and more generally every service accessible online. Depending on organisational specific needs, a test scope should be defined.
What all will be testing Tested? – Languages are different, but logical vulnerabilities are found everywhere be it PHP, Java, Ruby, Python, C# or NodeJS. Logical flaws are related to the conception of web applications, independently of the technology used. Services go extensive and expansive for concerning vulnerabilities specific to a framework or a language for e.g. MySQL Injection and/ or MongoDB Injection as it requires to know many languages, in order to test them.
Who does the Fixing? – A penetration test report documents clearly where the flaws were found, how they can be exploited. This report includes recommendations on how to correct those flaws as well however, pen-testers do not do it themselves. It becomes developer’s responsibility to gear-up and be more efficient while doing needed corrections.
Consider Scoping a Post Remediation Re-Test - It is interesting to verify that corrections are full and correct for each vulnerability. A check allows, to control that the corrections didn’t cause any side effect, i.e. negative consequences (new vulnerabilities) if developed while fixing the originally identified flaws. So it becomes really important for organization to incorporate remediation validation phase while ordering.
Do's & Don't when your Pen-Test results are looking bad? - A security assessment is only one step in a process. The next is how you react when you have a high-risk penetration test report sitting in your inbox. Here are six ways to react when pen-test results are looking critical -
1. Reacting with Political Maneuvering or getting into a finger-pointing exercise - A corporate leadership role requires a certain level of posturing, and it is leadership’s prerogative to embrace such reports with wiser thoughts than doing a blame game. It’s helpful to acknowledge mistakes and learn from them but keep the emphasis on moving forward.
2. Plan to fix Silently, Slowly & Gradually – You may feel like quietly keeping it in the mailbox as it may become an instant overhead for fixing and might stain your repute. Maybe you would prefer to fix the findings with minimal leadership & political pressure. Ideally, we should genuinely embrace the report which is a genuine disclosure of risk and own the resolution of the identified vulnerabilities so as maintain & protect CIA of the organization.
3. Enable people with awareness in place of firing them - When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. In place of replacing them with someone new who has not learned that lesson, help them understand the attack and how their actions contributed. Remember, that person who understand the ramifications of their action is the most secure person in the company and will be the last person to click on a suspicious link in the future. By doing this, you are generating awareness which leads to heightened level of vigilance and enabling a task force to become powerful advocates among their peers for better security.
4. Identify root-case and fix the problem not the system - The assessment report & the findings in it is not a checklist to be ticked off and move ahead. It should be promptly fixed. First attempt to fix the symptom, but do not neglect the underlying problems that led to it.
5. Think Enterprise-wide vs being siloed - It’s important to scrutinize all critical elements of any environment and understand the collative exposure they create. The point is that attackers are going tactical in their efforts and likewise, we need to strategize our defenses as well.
6. Embrace it and bring a positive change - A security assessment is not a chance for someone to make you look bad. It’s a learning, maturing, developing and overall strengthening exercise. Embrace it and use it for a platform from which to build positive change.
Dispel Five Misconceptions about Pen-Testing - Penetration testing is a legal attempt at gaining access to a protected computer system with the intention of identifying potential security loopholes in that system before cybercriminals do – is an integral part of information security. A pen test will provide an excellent view of the actual security state of an environment as well as the organizations security state.
Penetration testing is critical for all types of organizations, especially those that are subject to data privacy laws and regulations. Before conducting penetration tests, it is important to dispel several myths and wrong conceptions about the practice.
1. Are all Penetration Testing Tools Created Equal - Many penetration testing tools exist in the market, and testers should use a variety of solutions. However more senior testers also build custom tools to go beyond the normal scope of testing. Obviously, proper testing requires expert skills and lots experience.
2. Automated Security Testing or Manual Penetration Testing or a Blend - Automated testing is scanning, not true penetration testing. Both have its value, but humans find ways to break systems that machines do not. Experience, creativity, and curiosity are at the core of pen testing, which generally picks up where automation ends.
3. Penetration Tests Only Assess Technological Weaknesses - Penetration testing can include social engineering. In some cases, pen-testers may be authorized to do more, such as scan social media for exploitable information or attempt to phish sensitive data from users via email.
4. Pen-Testers Must Be Ignorant of the Systems They Target - Both people who have knowledge of the intended target system and those who do not can conduct penetration tests. Penetration testing can be conducted by employees, contractors or other external third parties.
5. Penetration Testing Is Always Proactive – It can be both, proactive or reactive. Ideally, tests are performed to help prevent a breach. However, penetration testing during post-breach forensic analysis can help security teams understand what happened and how — information that can also help an organisation prevent similar breaches in the future.
Seven Penetration Testing Resources You Need to know - Given today’s ever evolving cyber-threat landscapes, penetration tests have become one of the most-commonly known security tactics to help organizations uncover critical vulnerabilities, strengthen their security defenses and meet compliance requirements such as PCI DSS.
Here are seven useful resources vetted that will help you keep up with the rapidly evolving landscape of ethical hacking. In short, penetration testers can find resources about vulnerability databases, report templates, books, security courses, conferences, magazines etc. on these websites.
1. Offensive Security
2. The Exploit Database
3. The SANS Institute
4. PentesterLab
5. Kioptrix
6. EHacking.net
7. GitHub
Why it is important to choose an experienced organization and not to be pound-foolish - The most-costly component of any true penetration testing engagement is the experienced personnel and the time they spend performing manual penetration testing. The second important reason that a cost of pen-test varies is that there is no recognized "standard" for penetration testing, and the quality & medium (automated vs. manual or both) varies dramatically.
At EXL, we conduct such tests using experienced, trained, qualified, certified professionals in US with clear background checks for every engagement. Our experienced and knowledgeable ethical hackers bring an element of human intelligence to your security efforts.
We recommend deciding upon the purpose before your initiate such an engagement whether it is to “is to secure your organization” or “to satisfy a compliance mandate or a client’s requirement”. Then decide upon the quality of testing, medium of the testing, depth of the testing and reporting requirements of the testing. We have specific testing methods that thoroughly covers network, systems and applications and detailed reporting but easy to understand reports covering threats, scenarios and mitigating actions.
In addition, check for liability insurance, relevant references, skills of the pen-testing team, a sample report, verify project management capabilities and their methodology and process.
An upcoming post will have all about the Pen-Testing Tools. Keep Watching & Learning.
Conclusion - Compliance is one of the greatest concerns for companies of any size today. From strict regulatory standards to clients’ demands, every business or organization is asked to adhere to stringent regulations to protect the sensitive data they collect and process daily.
Many are the tools at the disposal of IT security managers to meet this demand, and pen testing is one of the most effective. Other than being simply listed as one of the requirements or recommendations in many standards, a pen test is also an effective tool for managers to get a true insight in their systems and in their ability to withstand a variety of attacks.
Pen-testing can help meet many of the compliance demands, from tailoring effective policies to justifying a proper budget to verifying the presence and effectiveness of tools required by industry regulatory requirements. Penetration testing give you the resilience to survive in an environment that affords more and more dangers as technology advances while ultimately earning the trust and confidence of their clients.
References:
https://www.incapsula.com/web-application-security/penetration-testing.html
https://www.veracode.com/security/penetration-testing
https://www.secureauth.com/products/penetration-testing
https://www.softwaretestinghelp.com/penetration-testing-guide/
https://www.rapid7.com/fundamentals/penetration-testing/
https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/
https://www.hitachi-systems-security.com/blog/penetration-testing-resources/
https://www.vaadata.com/blog/7-questions-before-doing-a-penetration-test/?_sm_nck=1
https://www.hitachi.com/blog/4-good-reasons-why-you-need-to-conduct-a-penetration-test/
#infosec #linkedin #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cybersecurity #security #cloudsecurity #trends #grc #leadership #cybersecurityleadership #informationsecurityawareness #linkedintopvoices #news #newsletter #india #testers #penetrationtesting