Performing a Detailed Penetration Testing: Soutech VenturesEsang U. E
Pen tests as we already know are intended to identify and confirm actual security breaches and to report such issues to management. This ensures that an organization experiences a balance in business and a good network security to ensure the smooth operation of business.
Just to reiterate as this is a follow up article to my basics on penetration testing, penetration testing colloquially called pen test refers to an ethical hacking method which is used to perform security testing on a computer network of an organization. It involves a lot of methodologies which I have already explained in my previous write up which is designed to explore a network for potential known vulnerabilities and to test them if they are real. A properly performed penetration test allows a network professional to fix issues within the network in order to improve the network security and provide the needed protection for the entire network against future cyber-attacks and intrusions.
The terms vulnerability assessment and penetration testing are often confused and I have made an attempt to differentiate them because they mean different things.
Pen tests involve methods require using legal permissions to exploit the network while vulnerability assessment requires evaluating the network, its systems and services for potential security problems. While a pen test is designed to perform simulated attacks, vulnerability assessments only require pure analysis and vetting of an organizations network for vulnerabilities. Note that no attack is launched.
Penetration Testing Services
I will describe 4 distinct penetration testing service offerings that we can provide you
1.Vulnerability Scanning: This scanning technique provides a very transparent and mature offer but the biggest challenge always lies on whether to resell a service offering or to buy that can be used to internally scan the clients’ systems and networks. Every regulation requires scanning which is the first and easy step taken towards achieving security assurance. This is because all regulated customers need to scan.
2. Penetration testing of Infrastructure: This offers tools such as Metasploit or Core Impact, that can be used to perform live exploits. Live ammunitions are used so you have to orchestrate or organize the test with the client in such a way that the amount of disruption during the tests is minimized. The pen tester should endeavor to test all externally visible IP addresses because it is what the bad guys want in order to penetrate the system and network. The tester should also attach to the conference room network which is one of the softest parts of the customers’ defense.
3. Penetration of Applications: This is a very important step which involves an attempt to break into the applications because so many attacks are directly targeted at applications. Web applications such as HP’s WebInspect and IBM’s AppScan can be employed, but the tester can also find ways to exploit the application logic errors. Nothing stands a skilled application test because once an initial application is compromised, a direct access to the database where valuable data is easy. If the tester can access the database, then the customers system is owned already and scripts can be written to block every loop holes by the attacker.
4. User Testing: This part of the penetration test is always fun for the penetration testers because they get to see how gullible and vulnerable most users are. The test may involve sending fake email messages to customer service representatives in a bid to gather information that can be used to penetrate their facilities. They even drop thumb drives at the parking lot and watch out for people that will plug them. Social engineering is one of the key ways of information gathering and should never be underestimated. Social engineering can be used on the client in order to catch them off guard.
The Qualifications of a Penetration Tester
The task of penetration testing can be performed by a qualified third-party agent as long as they are organizationally independent. What I mean is that they must be organizationally separate from the management of the client or the target system. Example, if we use a case study of a PCI DSS company as our assessment entity and as the third-party company carrying out the assessment, they cannot conduct the pen test because they’re involved in the installation, maintenance or as support to the target systems.
The following guidelines can be useful in your choice for a good and qualified penetration tester
Certifications for a penetration tester: The certifications which a penetration tester hold is a very indicative guide to their level of competence and skill. While these certifications may not be required, they can indicate a common body of knowledge for the tester. These are the few among’st many certifications a penetration tester can have;
- Certified Ethical Hacker (CEH)
- Offensive Security Certified Professional (OSCP)
- Global Information Assurance Certification (GIAC)
- Computer Information System Security Professional (CISSP)
- GIAC Certified Penetration tester (GPEN)
- EC-Council Security Analyst (ECSA)
- Licensed Penetration Tester (LPT)
- GIAC Exploit Researcher and Advanced Penetration tester (GXPN)
Always remember that before any test begins, all parties are recommended to be involved such as the organization, pen tester, the assessor where applicable. They all must be aware of the types of test being performed i.e. external, internal, network layer or application and how the test will be performed and the target.
Steps to Perform a Detailed Penetration Testing
1.Scoping of the organization: The responsibility of the organization is to the adequately define the critical systems. The normal recommendation is that the organization works hand in hand with the pen tester whenever it is applicable. The assessor also plays major role here to verify that none of the components are overlooked and also to determine if there are additional systems to include in the scope. The scope of the penetration test should include the critical systems, the access points and the methods for segmentation.
2. Documentation: All components within the scope of the documentation should be made available to the tester whenever necessary. Documents include,
- Application interface documentation
- Guides to the implementation
This will help the tester to understand the functionality of the system. Other information which the organization needs to supply the tester should include
- Network diagram. showing all the network segments.
- Data flow diagram
- Detailed list of all services and ports that are being exposed to the perimeter.
- List of the network segments in isolation
The pen tester uses all this information to assess and identify all unexpected attack vectors and any insufficient authentication controls.
3. Rules of Engagement: Before any test begins, it is very important to agree and document on conditions and terms in which the test is being performed and the extent to the level of exploitation. This gives the pen tester the authority to the test environment and to make sure the organization has an understanding of test and what to expect from it. The following are what to consider as rules of engagement
- Window time will the test be performed?
- What are the known issues in the system and issues with automated scanning? And if so, will such systems still be tested?
- Any preferred methods of communication about the scope and any issues that will be encountered in the course of the test.
- Any security controls could detect the testing?
- Are there passwords or any sensitive data to be exposed during the test.
- If the equipment to be used by the tester will pose any threats to the systems in the organization.
- Any updated OSes, service packs and patches and if the tester should provide all the IP addresses for which the test will originate.
- What steps the tester should take when he detects any flaw or loophole.
- Will the tester retain any data obtained during the tester?
4. Third-party Hosted/Cloud environments: The following should be added to the rules of engagement.
- Before test commences, if the service-level agreement requires any approval from the third-party.
- Web management portals that are provided to manage the infrastructure by the third-party should not be included unless noted in the scope.
5. Criteria for success: Pen testing is supposed to simulate a real-world attack with the aim of identifying the extent an attacker can go to penetrate the systems. Therefore, defining the success criteria for the pen test will allow the entity to program limits for the pen test. Success criteria should be included in the rules of engagement and should include
- Restricted services or data should be directly observed in the absence of access controls
- Level of compromise of the domain being used by legitimate users.
6. Review of past vulnerabilities and threats: this involves a review and a consideration of all the threats and vulnerabilities that were encountered in the last 12 months. It is more like an historical look into the organizations environment since the last assessment was performed. This information is very important to give insights on how to handle the current vulnerabilities. Depending on whether it is a white box, grey box or black box test that is to be performed, these are not to be included in the review.
- Vulnerabilities being discovered by the organization and have not be solved within a certain time.
- Compensation controls preventing the discovered vulnerabilities
- Upgrades or deployments that are in progress
- Threats and vulnerabilities that have led to a possible data breach
- Valid remediation of pen test in the past years.
7. Segmentation: This is done by conducting test used during the initial stage of the network penetration such as port scans, host discovery. It is performed to verify that all the isolated LANs do not have access to the database. Testing each of these unique segments should ensure that security controls are working normally as intended. The pen tester should check the LAN segments that they have access to the organization and restrict access.
8. Post Exploitation: This means taking actions after an initial compromise of the system. It refers to the methodical approach of making use of pivoting techniques and privilege escalation to establish a new source of attack. This can be done from a vintage point in the system in order to gain access to the network resources.
9. Post- Engagement: the following activities should be done after the engagement or testing are being performed:
- Remediation best practices
- Retesting all the identified vulnerabilities
10. Cleaning up of the work Environment: After the pen test has been performed, it is necessary to do a thorough cleanup of the working environment. The tester does some documentation and informs the organization of any alterations that have been made to the environment. These include but not limited:
- Installed tools by the tester on the organizations system
- Created accounts during part of the assessment
- Changed passwords for accounts
- Any additional documents not related to the organization
11. Reporting and Documentation: Report helps an organization in their efforts to improve upon their security posture and also to identify any areas that are vulnerable to threats. A report should be structured in a such a way that it the test is clearly communicated, how it was carried out. The report should be done in the following steps;
- Report identified vulnerabilities
- Any firewall mis-configurations
- Report of detected credentials that were obtained through manipulation of the web application.The service of penetration testing is a typical learning experience for everyone in the organization that is involved in it as well as the tester. The testers get to discover and learn what it is that works and what does not work and is not obtainable to the entity being tested. They can also learn how to find ways to adapt to the defenses of the customer. The client i.e the organization gets to learn of what they should have known and done that is less effective and finally learn and appreciate what is applicable. The pen tester now tries to pick the pieces and build a strong and long-term relationship with the client.
We at soutech web consults are the perfect consulting firm for carrying out your penetration testing. We have professional staff and team to conduct a well detailed and professional penetration testing. Subscribe for our services today.