What Is Penetration Testing
by Harman Singh
Your business is running smoothly.
Sales are flying in, your customers are happy and you feel on top of the world.
What could go wrong, right?
As you will know, in the world of business, many things can and do go wrong. And whilst you’re celebrating a new contract, you may be completely unaware of the cybersecurity flaws that hackers would love to take advantage of.
In just a few minutes, all your hard work and perseverance over the years can be jeopardised, just like that. Cyber attacks can be ruthless and very damaging to your business.
In fact, 68% of business leaders feel that their cybersecurity risks are increasing. Whilst in 2018, 62% of businesses experienced phishing and social engineering attacks.
So, what can you do about it?
One of the most important first steps to take is to analyse the exploitable vulnerabilities that your business may have.
This is known as penetration testing and in this post, we’ll cover everything you need to know about it.
If you’re looking to understand how you can manage your business in a safer, more secure way, keep on reading!
You might want a cup of coffee by your side to help you finish this post. This will cover the following topics:
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation's assets.
By identifying these security flaws, businesses are able to find out the extent to which their assets (people, process and technology) are exploitable and can then take the necessary steps to reduce the risk.
Penetration testing is also known as ethical hacking, cyber security assessment, technical security audit or technical risk assessment. Although often penetration testing and vulnerability assessment are used interchangeably, this may be either due to lack of understanding or marketing hype. Vulnerability scanning and vulnerability assessment search the systems for known vulnerabilities. This is an automated process with the use of scanners. No manual exploitation is part of vulnerability assessment, whereas penetration testing involves manual techniques to exploit the vulnerabilities identified during vulnerability scanning phase.
Why is Penetration Testing important?
You may be wondering, ‘what value is pentesting going to bring to my business?’.
It’s a common question as many people don’t fully understand what penetration testing is. So, let’s go through all the most important reasons as to why pentesting is a smart business decision.
- Threat Protection
We now live in a world where data is a more valuable resource than oil. Not only is this huge for our personal lives but in business, your data is one of your biggest assets. Due to the inherent link with technology, threats evolve and change over time.
This means that, while you may have overcome a security issue a year ago, new threats are always on the horizon. For this reason, it is critical to regularly assess your security in order to protect your network.
- Develop Your Cybersecurity Strategy
Cybersecurity in any business shouldn’t be an afterthought. A well-thought-out, evidence-based cybersecurity strategy should be integrated into every business looking to be more secure.
The best way to create a cybersecurity strategy is to gather information through security assessments and cybersecurity audits. The data you gather here can then inform your strategy and act as the foundation for your plan.
Once you understand your current threats, you can update your practices, inform employees, streamline your processes and most importantly, improve your technology.
- A Proactive Approach
Pentesting is the perfect way for a business to identify weaknesses and vulnerabilities before they are exploited. As we mentioned above, cybersecurity should be an ongoing process for any business.
Pentesting should be performed on regular basis to ensure your most prized assets are always protected. Usually, this is an annual exercise or following any upgrades to code, hardware, software. Having a proactive mindset towards cybersecurity is imperative if you want to have effective results.
By having regular pentests, you create more efficient business systems, prevent data loss and save your business a lot of potential headaches.
How does Penetration Testing work?
At Cyphere, penetration testing is one of our main offerings for businesses.
The first step in the penetration testing process is to get in touch with a cybersecurity professional or consultancy, such as ourselves.
Customers sometimes think we go off at tangent, understanding your business from you is the most important step. We ensure that gaining business insight and requirement analysis is in line with your business objectives.
This helps us to see how we can build a tailored cybersecurity package for your business. When working with our clients, we are flexible, meaning we can talk face to face or on a video meeting to discuss your requirements. This leads to a bespoke proposal, in order to meet your specific security requirements.
We will then get to work and identify technical risks affecting software and hardware in your business. This test will then add assurance that the products, security configurations and controls are configured in line with good practices.
This information will be presented to you in an easy to understand report that will give you strategic recommendations and help you prepare a mitigation plan for an attack.
Not only do we provide you with a clear plan of action but we also make sure this is communicated effectively at a technical and management level.
What is a Penetration Testing methodology?
In order to perform a security assessment, it is important to understand the context of assets in scope for the engagement.
Penetration testing projects are categorised into three areas on the basis of the level of knowledge and access granted to the security consultants. These are:
- Black Box Penetration Testing : A black box pentest starts with no prior knowledge and access to the target. For example, a website security assessment with no information and user access.
- Grey Box Penetration Testing : A grey box pentest involves some level of knowledge and access to the target. For example, a website security assessment with low level user access.
- White Box Penetration Testing : A white box pentest is granted with the highest level of information and access. For example, a website security testing where multiple user levels including CMS admin and information such as security architecture, design document and/or source code access is supplied to the security consultant.
It is important to select the right assessment techniques as this can influence the outcome of the testing process. In order to simulate threat actors, it is important to consider various threat scenarios that lead to creation of test cases used during one of these three methodologies.
Our proven approach to security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations.
- Initial Scoping and Objectives Agreement
This is often overlooked area, however, is one of the most important aspects. No one knows a network better than their caretakers that is THE customer.
Defining an accurate scope of the work ensures understanding and clarity of objectives, exclusions, and what to do if something happens. We ensure that proven project management approach is put to work, ensuring all parties are aware of authorisation forms & legalities, in-scope elements, any fragile components and out of scope components before commencing an engagement.
Once legal and project formalities are out of the way, reconnaissance phase starts with a sole objective of information gathering. This intel (e.g, network layouts, domains, servers, infrastructure details) helps to understand how a network works including its assets (applications, systems, devices, anything with an IP).
This phase is performed with an aim of finding vulnerabilities within the defined targets. This process involves scanning the target for listening services/open ports, fingerprinting and analysing the running services to prepare a rough attack layout of target systems.
Attempts are made to exploit common vulnerabilities to simulate and check how far a threat actor can go to achieve privileged access. For instance, during unauthenticated tests within a company network, many times starting with zero access leads to the entire network compromise. Default passwords or commonly used username/password combinations are also tried against various services.
Once access is gained to the systems, further efforts are undertaken to escalate privileges to the highest levels. This also includes hopping around the network in order to find vulnerable servers within the customer business. This technique, often known as lateral movement, helps to identify vulnerable systems within a network that is not exposed to the internet.
Specific assessments defined against certain targets are defined under 'white box', 'black box' or 'grey box' methodologies. These methodologies define test cases based on how much information is available to the consultants before starting the assessment.
No unsafe checks are carried out during the assessment. These include low level attacks such as ARP spoofing, SYN flood or the likes. Denial of service attacks are explicitly deemed out of scope.
Assessment phase is followed by data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
The following diagram shows a pentest lifecycle, where initial scoping represents the start of the process.
Types of Penetration Testing
Network Penetration Testing
Network penetration testing covers a broad spectrum of levels, including single build reviews, segregation reviews to network-wide assessments. Network penetration testing consists of:
- Internal Network Penetration Testing
- External Network Penetration Testing
- Firewall Configuration and Rules Review
- Wireless Penetration Testing
- IT Health Check
- Active Directory Review
- Server Build Review
- Device Audits
- Network Segregation Review
Web Application Penetration Testing
Web application penetration testing is a great way to see if you are secure for trading on the internet or see if your database is open to risks. Web application penetration testing consists of:
- Web Application Security Testing
- Web Services / API Security Assessment
- Secure Code Review
- Application Threat Modelling
- Database Security Review
- Thick Client Applications
Cloud Penetration Testing
Cloud penetration testing is crucial if you store data in the cloud. The security of any cloud based operating systems and applications need to be continuously maintained and tested. Cloud penetration testing consists of:
- Cloud Configuration Review
- Cloud Service Testing
- Cloud Security Testing
Cyber Attack Simulation
Cyber attack simulations are commonly designed with multi-step attack scenarios to check how defensive controls react during a real time attack. This includes red teaming (a simulation carried out to conduct a real life attack for assessing the attack preparedness) and blue/purple teaming (working in collaboration with your security teams to ensure it is a learning exercise to improve your detection). Cyber attack simulations will usually consist of:
- Red Team Assessment
- OSINT (Open Source Intelligence) Assessment
- Phishing Campaigns (Bulk, targeted/spear-phishing)
- Social Engineering
Mobile Penetration Testing
Mobile penetration testing will test your mobile applications before they go live, in order to reduce the chances of a data breach or other security vulnerabilities. If you have an insecure application, you could be compromising sensitive data or the device itself. Mobile penetration testing will usually consist of:
- Mobile Application Security Testing
- Secure Code Review
Bespoke Security Reviews
This comprehensive cybersecurity audit covers supply chain risk, M&A due diligence, IoT and a range of advanced penetration testing scenarios and bespoke projects that can be tailored for the security needs of your company.
- Product Security Assessment / Security Evaluation Criteria
- IoT Security
- Remote Access Assessment
- Supply Chain Vulnerability Assessment
- M&A Cyber Security Due Diligence
When to conduct Penetration Testing?
It’s safe to say there are a lot of different types of penetration testing, which is why it’s so important to speak with a cybersecurity professional to see what is the best fit for your needs.
From our knowledge and experience, a penetration test should be conducted at any of the following events:
- Introduction of new infrastructure & applications
- After major changes/upgrades
- Business As Usual/ Annual Assessments
- Before product/service go live
A business may be at risk if new services have been rushed into production without security assessment and mitigation of risks. This could leave an organisation open to cyber attacks. Therefore, it is important to measure the attack surface of underlying assets before releasing in production.
Some compliance requirements such as PCI, DSS, sector-based commission technical audits, vendor assurance requirements, mandate regular penetration tests.
How much does a Penetration Test Cost?
There is no one penetration testing price sheet. The price of penetration tests or security assessments vary based on the time and resource invested in the assessment. Scoping varies from an asset (single server or a network) to asset (an eCommerce setup with a website, API, database, load balancers) and the environment metrics related to the asset play a key role.
Thanks to Pentest Mag for providing us opportunity to serve their readers. We hope you liked this piece, please feel free to share. Any queries can be emailed to [email protected]
About the Author
Harman Singh is a security professional with more than 10 years of consulting experience across private and public sector organisations. His day job involves securing cyber spheres of various businesses at Cyphere to reduce security concerns. Besides delivering consultancy, he has also delivered talks & trainings at Black Hat and regional conferences. His favourite security topics are Active Directory, Azure & Networks.