Penetration testing is an idea that raises many questions in managers’ minds. That’s not unreasonable. The testers are asking for authorization to try to get past your network security controls. They’ll do things that are indistinguishable from real-world cyber attacks.
Before agreeing to a simulated attack on your network infrastructure, you want to know exactly what it’s for. What will you get out of it? What issues do you have to deal with for the sake of long-term improvement?
There isn’t one answer for all organizations. Our penetration testing services use a variety of methods, depending on your security needs and objectives. When you schedule a free consultation with Red Team, we will talk with you about how we can best fulfill your goals. Our approach will be tailored to the information protection which you need and take an approach which you find acceptable. Contact us through our website or call 612-234-7848 to set up a free consultation.
Introduction To Penetration Testing
Ultimately, the goal is the discovery and elimination of security risks. To make that specific to your situation, you have to consider several questions:
- What types of risks are you most concerned with?
- Do you have specific compliance requirements based on the work you do and the information you handle?
- What level of data protection do you require?
- What risks are inherent in the type of business you do?
Determining Your Cyber Security Objectives
Once you have assessed your needs, you can translate them into objectives. You may be primarily concerned with assessing your technical defenses, such as web application firewalls (WAFs). There may be a particular application you want to test. You may want to be sure that a certain type of information (e.g., protected health information under HIPAA) has adequate protection. The human factor may be the most important, and you want to see how people will respond to phishing and other tricks.
Each objective implies a distinct security testing scenario. Different approaches will have their own targets and methods. They will vary in methodology and coverage. Here are some possible cases:
- Objective: Determine if your externally facing controls sufficiently reduce your risk and keep bad actors out. Method: Tailor attacks to those controls, targeting common weaknesses.
- Objective: Evaluate your entire attack surface, identifying any weaknesses in externally facing devices. You want to determine if your computer systems are secure even if attackers penetrate firewalls. Method: Target weaknesses commonly found in desktop and mobile devices. This may involve letting the testers bypass the firewall.
- Objective: Test users’ judgment in responding to deceptive email and other communications. This is a test of people rather than technology. Method: Send tailored phishing messages, make phone calls, and perhaps even in-person visits to get past physical security.
- Objective: Evaluate the effectiveness of the security policy, to see if its prescribed actions provide an effective defense when followed. Method: Study the security policy, look for gaps in it, and devise strategies which could exploit them.
Industry-specific Vulnerability Assessment Requirements
Some types of organizations require adherence to specific standards. A healthcare facility needs to be sure it complies with the HIPAA Privacy and Security Rules. A defense contractor needs to follow the CMMC framework. Businesses that handle credit card data need to follow PCI security standards for sensitive data. Penetration testing built around those requirements is an important part of a security assessment. Acting on the results of a test will help to minimize the risk of penalties or lost business due to non-compliance.
What Pen Testing Is And Does:
The common thread is that penetration testing, sometimes known as ethical hacking, identifies cyber security issues by simulating attempts to defeat safeguards. If it succeeds, a real attacker could exploit the same weaknesses. Pen testing may work on a production system or one which is set aside for the testers.
The tests may be automated or manual, or testers may use a combination of the two. Automated tools have the advantages of thoroughness and consistency. They cover all common issues that could arise in a given environment. The tests are repeatable, so they can measure progress or compare different installations. The manual approach lets testers use their intuition. Every site is unique, and testers may think of likely weaknesses that the standard suite doesn’t cover.
Assessment Of Cyber Security Requirements
The first step is to assess the target. The testers will use whatever information the client gives them and may do their own research. They will devise appropriate methods, selecting a suitable test suite or devising custom tests to hit likely weaknesses. Armed with this preparation, they will attempt to break into the target systems. In some cases, with the client’s approval, this could include an actual, physical break-in attempt.
Testers avoid doing actual damage to the target systems, and they protect any confidential data they expose as strongly as the test site should have. Harm from competent, honest testers, other than bruised egos, is rare.
Reporting Pen Testing Results
The report to the client is an important part of the process. A good penetration tester will tell you what testing methodology it used, what weaknesses it found, and how serious they were. The report will let you prioritize the issues, fixing the most glaring problems first.
The tests can be repeated after you take corrective action. You will be able to see how much improvement there was and whether you introduced any new security issues in the process.
The remedies will include strengthening configurations, educating personnel, updating unpatched operating system and application software, and fixing bugs. Testing should be conducted periodically to measure progress in securing systems.
The Main Objective Of A Penetration Test
In the end, the goal is to identify security weaknesses in a network, machine, or piece of software. Once they’re caught, the people maintaining the systems or software can eliminate or reduce the weaknesses before hostile parties discover them.
“Security” isn’t limited to how well the machines and software stand up against penetration attempts. Other aspects of it include:
- The effectiveness of an organization’s security policy. It may have deficiencies that attackers can exploit when employees go by the book. In other cases, the employees might not understand the policy well enough. You may learn your organization needs to revise the policy or improve its training program.
- Adherence to compliance requirements. Regulations and standards such as HIPAA and PCI require particular types of safeguards. Failure to comply could result in heavy fines or the loss of business privileges and opportunities. A penetration test can help to determine if the protections are in place and work effectively.
- Employee security awareness. Some tests focus on employee responses to phishing, social engineering, and the like. They can show how effective training has been and identify employees who need additional reminders. The tests could reveal areas that the training failed to cover.
- Incident response effectiveness. Security incidents will happen even in well-protected environments. It’s important to test how well IT and security personnel respond to them. This approach works best when the people handling the incident don’t know whether it’s a test or a real attack.
Penetration testing is different from vulnerability assessment. The latter looks for known problems in software and configurations using vulnerability scanning. It doesn’t attempt to exploit any security vulnerabilities. The two are useful and complementary techniques.
Penetration Testing Strategies
Pen testers commonly use one of several strategies or a combination of them. The choice depends on the objectives and on what you find acceptable.
Targeted penetration testing is conducted by the client’s IT or security team and the testing team working together. Everyone knows what is going on, and no one is taken by surprise. This approach causes a minimum of disruption, since the IT team won’t mistake a test for a real attack. It allows for quick feedback in both directions.
External testing takes the perspective of an outside attacker who (initially) has no system privileges. The testers can see servers and devices which are visible on the Internet. This includes Web, mail, and FTP servers, firewalls, and any devices that may be inadvertently exposed to access. The test includes scanning access points for open ports, probing services, login attempts, and scanning for leaked information.
Internal testing works from a user account given to the tester. The tester determines if the account can take actions or reach resources it shouldn’t be authorized for. Aside from assessing how much harm a rogue employee can do, it measures what can happen if an outsider steals the credentials for an account. In systems that consistently employ the principle of least privilege, a normal account can do only limited harm.
Blind testing is a type of external testing that simulates the actions of an attacker who has picked a target at random. The testers start with very limited information, perhaps just the name of the company or the domain. There aren’t a lot of cases where this type of test is useful. The tester needs to spend additional time gathering information to get to the point of a normal external tester.
Double blind testing is more interesting. Both the tester and the client organization are operating blind. Only a few people on the client side know about the test, and they don’t include IT personnel. To the people in IT, whatever happens is a real attack. This type of test evaluates the ability of IT and security to respond to an intrusion attempt. It carries some risks, since the tech team might quarantine systems or restrict operations in an attempt to stop the “attack.”
Black box testing is similar to blind testing, and the terms are often used interchangeably. Black-box testers know what systems they are targeting but have no knowledge beyond what the public has. This is slightly more information than a true blind tester has, but most often it’s limited to the URL of the company’s website or its IP address. This type of test can help to show if the client has made too much information easily available.
White box testing is also known as clear box testing. The testers get detailed information about the target system, including source code, configurations, and system documentation. It lets testers find the greatest number of weaknesses in the shortest time, and it helps to show what a malicious insider could do. Unlike internal testing, white box testing doesn’t include the credentials for any accounts.
Getting Ready For Pen Testing
Any organization with substantial cyber security requirements should consider pen testing. Taking advantage of it helps your organization to identify weaknesses it might otherwise miss and learn how your security will stand up against real-world attacks.
Physical and technical protection of information requires expertise in security issues. Red Team provides penetration testing for PCI, HIPAA, and other security-critical environments. Call us at 612-234-7848 with no obligation and learn how we can improve your information security profile.
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness