Penetration testing is an idea that raises many questions in managers' minds. That's not unreasonable. The testers are asking for authorization to try to get past your network security controls. They'll do things that are indistinguishable from real-world cyber attacks.
Before agreeing to a simulated attack on your network infrastructure, you want to know exactly what it's for. What will you get out of it? What issues do you have to deal with for the sake of long-term improvement?
There isn't one answer for all organizations. Our penetration testing services use a variety of methods, depending on your security needs and objectives. When you schedule a free consultation with Red Team, we will talk with you about how we can best fulfill your goals. Our approach will be tailored to the information protection which you need and take an approach which you find acceptable. Contact us through our website or call 612-234-7848 to set up a free consultation.
Ultimately, the goal is the discovery and elimination of security risks. To make that specific to your situation, you have to consider several questions:
Once you have assessed your needs, you can translate them into objectives. You may be primarily concerned with assessing your technical defenses, such as web application firewalls (WAFs). There may be a particular web application you want to test. You may want to be sure that a certain type of information (e.g., protected health information under HIPAA) has adequate protection. The human factor may be the most important, and you want to see how people will respond to phishing and other tricks.
Each objective implies a distinct security testing scenario. Different approaches will have their own targets and methods. They will vary in methodology and coverage. Here are some possible cases:
Some types of organizations require adherence to specific standards. A healthcare facility needs to be sure it complies with the HIPAA Privacy and Security Rules. A defense contractor needs to follow the CMMC framework. Businesses that handle credit card data need to follow PCI security standards for sensitive data. Penetration testing built around those requirements is an important part of a security assessment. Acting on the results of a test will help to minimize the risk of penalties or lost business due to non-compliance.
The common thread is that penetration testing, sometimes known as ethical hacking, identifies cyber security issues by simulating attempts to defeat safeguards. If it succeeds, a real attacker could exploit the same weaknesses. Pen testing may work on a production system or one which is set aside for the testers.
The tests may be automated or manual, or testers may use a combination of the two. Automated tools have the advantages of thoroughness and consistency. They cover all common issues that could arise in a given environment. The tests are repeatable, so they can measure progress or compare different installations. The manual approach lets testers use their intuition. Every site is unique, and testers may think of likely weaknesses that the standard suite doesn't cover.
The first step is to assess the target. The testers will use whatever information the client gives them and may do their own research. They will devise appropriate methods, selecting a suitable test suite, or devising custom tests to hit likely weaknesses. Armed with this preparation, they will attempt to break into the target systems. In some cases, with the client's approval, this could include an actual, physical break-in attempt.
Testers avoid doing actual damage to the target systems, and they protect any confidential data they expose as strongly as the test site should have. Harm from competent, honest testers, other than bruised egos, is rare.
The report to the client is an important part of the process. A good penetration tester will tell you what testing methodology it used, what weaknesses it found, and how serious they were. The report will let you prioritize the issues, fixing the most glaring problems first.
The tests can be repeated after you take corrective action. You will be able to see how much improvement there was and whether you introduced any new security issues in the process.
The remedies will include strengthening configurations, educating personnel, updating unpatched operating system and application software, and fixing bugs. Testing should be conducted periodically to measure progress in securing systems.
In the end, the goal is to identify security weaknesses in a network, machine, or piece of software. Once they're caught, the people maintaining the systems or software can eliminate or reduce the weaknesses before hostile parties discover them.
"Security" isn't limited to how well the machines and software stand up against penetration attempts. Other aspects of it include:
Penetration testing is different from vulnerability assessment. The latter looks for known problems in software and configurations using vulnerability scanning. It doesn't attempt to exploit any security vulnerabilities. The two are useful and complementary techniques.
Pen testers commonly use one of several strategies or a combination of them. The choice depends on the objectives and on what you find acceptable.
Targeted penetration testing is conducted by the client's IT or security team and the testing team working together. Everyone knows what is going on, and no one is taken by surprise. This approach causes a minimum of disruption, since the IT team won't mistake a test for a real attack. It allows for quick feedback in both directions.
External testing takes the perspective of an outside attacker who (initially) has no system privileges. The testers can see servers and devices which are visible on the Internet. This includes Web, mail, and FTP servers, firewalls, and any devices that may be inadvertently exposed to access. The test includes scanning access points for open ports, probing services, login attempts, and scanning for leaked information.
Internal testing works from a user account given to the tester. The tester determines if the account can take actions or reach resources it shouldn't be authorized for. Aside from assessing how much harm a rogue employee can do, it measures what can happen if an outsider steals the credentials for an account. In systems that consistently employ the principle of least privilege, a normal account can do only limited harm.
Blind testing is a type of external testing that simulates the actions of an attacker who has picked a target at random. The testers start with very limited information, perhaps just the name of the company or the domain. There aren't a lot of cases where this type of test is useful. The tester needs to spend additional time gathering information to get to the point of a normal external tester.
Double blind testing is more interesting. Both the tester and the client organization are operating blind. Only a few people on the client side know about the test, and they don't include IT personnel. To the people in IT, whatever happens is a real attack. This type of test evaluates the ability of IT and security to respond to an intrusion attempt. It carries some risks, since the tech team might quarantine systems or restrict operations in an attempt to stop the "attack."
Black box testing is similar to blind testing, and the terms are often used interchangeably. Black-box testers know what systems they are targeting but have no knowledge beyond what the public has. This is slightly more information than a true blind tester has, but most often it's limited to the URL of the company's website or its IP address. This type of test can help to show if the client has made too much information easily available.
White box testing is also known as clear box testing. The testers get detailed information about the target system, including source code, configurations, and system documentation. It lets testers find the greatest number of weaknesses in the shortest time, and it helps to show what a malicious insider could do. Unlike internal testing, white box testing doesn't include the credentials for any accounts.
Any organization with substantial cyber security requirements should consider pen testing. Taking advantage of it helps your organization to identify weaknesses it might otherwise miss and learn how your security will stand up against real-world attacks.
Physical and technical protection of information requires expertise in security issues. Red Team provides penetration testing for PCI, HIPAA, and other security-critical environments. Call us at 612-234-7848 with no obligation and learn how we can improve your information security profile.