Penetration Testing

We are constantly hearing about Data Breaches and Cyber Attacks in the news. With this becoming the norm, it is more important than ever before to undertake regular vulnerability scans and penetration testing to identify and remediate vulnerabilities such as missing patches and mis-configured systems.  You need to constantly ensure that your Information Security controls are working.

 

Organizations need to conduct regular testing of their systems for several reasons: 

• To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls
• To ensure controls have been implemented and are effective – this provides assurance to information security and senior management
• To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development)
• To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities)

Before a "malicious threat actor" (ie: "bad guy") decides to penetrate your network:

Your Internet connection is being automatically scanned

several times a day / every day!

 

There are several types of motivation that could cause a 3rd party to assess, attack, and potentially breach your network.

"Threat Actors" come in various roles, from a curious student sharpening their network skills, to a paid security consultant looking to acquire your corporate intellectual property on behalf of a competitor, a hactivist wanting to deface your website for political reasons, or a Nation State looking to acquire trade secrets.  

When engaging a Cyber Security Company to conduct a Penetration Test, you need to understand the level of motivation and financial threshold you wish to emulate.  

A curious student will likely utilize several open source tools to do some automated reconnaisance, maybe find a vulnerability or two, and might potentially spend a day or two probing and testing before giving up and going on to the next target. 

A competitor on the other hand may invest a certain amount of money into engaging a professional hacker to try to gain access to your environment.  They may be interested in acquiring your customer list, or access to your upcoming product portfolio, or to cause reputational damage by launching an attack from within your network.

 

To see if you require a penetration test,

book a free 30 minute consultation now! 

 

Types of Penetration Tests: (Our Methodologies)

There are several types of penetration tests, and your Cyber Security firm should help you determine which one(s) are appropriate for the level of motivation that you require.  Typically, we describe the level of information a penetration tester has at the beginning of the engagement as "Black box", "Grey box", or "White box".

Black Box:

A "Black box" assessment is conducted with very little information provided by the client.  Either simply a list of URLs or IP addresses, the level of attack motivation desired, and nothing else.  The consultant will not have any knowlege of infrastructure or credentials at all, and have to derive everything through reconnaisance. 

White Box:

In a "White box" assessment, the security consultant is given a high level of documentation regarding the types of equipment and applications at the corporate perimeter, such as network diagrams, user credentials, application source code, etc..  The purpose of this is to identify vulnerabilities in architecture, as well as any application or Operating system vulnerabilities that are only visible with privileged credentials.

Grey Box:

A grey box assessment, as you can likely guess is somewhere in between, where the consultant has as much information as they need to identify and assess the various Internet facing Cyber Security controls. 

Physical Penetration Test:  (Facility Access)

Hackers may rely on a physical approach to complement their technical attacks.

Scoping unsecured areas

Hackers search for loading docks, maintenance entrances, designated smoking areas, or other locations that may not be well secured to gain entry with the least resistance or visibility.

 

Piggy backing

Piggybacking or tailgating is a hacker’s method of entering a facility by closely following one or more employees or maintenance workers that have appropriate access through an entry point.

 

Social Engineering:

Phishing

Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Here's what you need to know about this venerable, but increasingly sophisticated, form of cyber attack. (CSOONLINE.COM)

Pretexting

Pretexting is defined as the practice of presenting oneself as someone else in order to obtain private information. It is more than just creating a lie, in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. Pretexting is also not a one-size fits all solution. A social engineer will have to develop many different pretexts over their career. All of them will have one thing in common, research. Good information gather techniques can make or break a good pretext. Being able to mimic the perfect tech support rep is useless if your target does not use outside support. (SOCIAL-ENGINEERING.ORG)

 

External Network Penetration Test:

 

Internet based Penetration Testing

Internet based penetration testing identifies security weaknesses within your internet facing network controls, such as firewalls, WAF, Intrusion detection/prevention, as well as any Internet facing Applications, portals, or gateways present on your corporate network perimeter.

. Testers search to identify flaws such as out of date software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include the testing of firewalls, switches, virtual and physical servers, and workstations.

Vulnerability Scanning

All penetration tests start with some form of automated vulnerability assessment. Vulnerability scanning is an automated process that utilizes off the shelf tools to scan  known security vulnerabilities in your systems. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization.

Manual exploitation

One the vulnerability scanning has identified potential weaknesses in the target application or infrastructure, a manual penetration test, or "pen test" is conducted to simulate a cyber attack against your computer system. Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks. (via IMPERVA.COM)

 

Internal Network Penetration Test:

Network and Infrastructure Penetration Testing

Infrastructure penetration testing identifies security weaknesses within your network, as well as the network itself. Testers search to identify flaws such as out of date software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include the testing of firewalls, switches, virtual and physical servers, and workstations.

Vulnerability Scanning

All penetration tests start with some form of automated vulnerability assessment. Vulnerability scanning is an automated process that utilizes off the shelf tools to scan  known security vulnerabilities in your systems. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization.

Manual exploitation

One the vulnerability scanning has identified potential weaknesses in the target application or infrastructure, a manual penetration test, or "pen test" is conducted to simulate a cyber attack against your computer system. Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks. (via IMPERVA.COM)

 

Web Application Penetration Test:

Web applications often process and/or store sensitive information including credit cards, personal identifiable information (PII), and proprietary data. Applications are an integral business function for many organization, but with that functionality comes risk. Penetration testing provides visibility into the risks associated with application vulnerabilities.

 

Mobile Application Penetration Test:

Like web applications, mobile applications also process/forward and/or store sensitive information including credit cards, personal identifiable information (PII), and proprietary data. Mobile applications are an integral business function for many organization, but with that functionality comes risk. Penetration testing provides visibility into the risks associated with moble application vulnerabilities.

 

Wireless Penetration Testing:

Wireless capabilities can provide opportunities for attackers to infiltrate an organization’s secured environment - regardless of certain access and physical security controls. Wireless pen testing provides a map of access points in the wireless landscape. After gaining access to the wireless network, penetration testers attempt to exploit weaknesses in the network to gain access to privileged areas and demonstrate the potential impact of a wireless network breach.

 

Reports - Executive and technical:

Penetration testers perform assessments, interpret the results, and provide reports for the tested organization.

The deliverable is both a technical as well as an executive document presentation detailing your current vulnerabilities and gaps in your infrastructure.

Where vulnerabilities have been identified, we will provide a list of remediation options: quick wins, short term goals, and investments required - placed on a potential roadmap.

There will be enough detail in the technical report to guide your team to remediating the various identified vulnerabilities, or alternatively, you can chose to hire us to provide a faster more thorough remediation.

The Executive report will be written in the language of Business Risk, with Heat Maps identifying priority fixes and timelines.

Each engagement will be concluded with an executive presentation to itemize and discuss the various findings, what the level of risk is, and their potential remediations.