A Simple Guide to Successful
Table of Contents
Penetration Testing, Simplified.
Scanning is Not Testing.
Test Well. Test Often.
Pen Test to Avoid a Mess.
Six-phase Methodology.
A Few Key Takeaways!
Penetration Testing, Simplified.
Permission to pen test ma’am
How effective are your existing security controls against a
skilled adversary? Discover the answer with penetration
testing.
The main difference between a penetration test and an
attacker is permission. A hacker simply won’t ask for
permission when trying to expose your critical systems
and assets, so pen test to protect.
A pen test is not just a hacking exercise. It’s an essential
part of your complete risk assessment strategy.
Scanning is not Testing.
If you’re confused about the difference between penetration
testing and vulnerability scanning, don’t worry you’re not
alone. The two are related, but pen testing emphasizes
gaining as much access as possible, while scanning focuses
on identifying areas that are vulnerable to an attack.
A person conducting a vulnerability scan will stop
just before compromising a target, but a pen tester
Test Well.
Penetration tests are typically performed using manual or
automated technologies to systematically compromise varying
vectors, such as servers, endpoints, web apps, wireless networks,
network devices, mobile devices, and other potential points of
exposure.
Historically, pen testing has implied simply breaking through a
network firewall, but it has evolved beyond just “getting inside.”
Modern pen testing solutions allow you to see what damage an
attacker can actually do once inside your network. The possibilities
are seemingly endless; pivoting from web apps to databases to
end-user devices, intercepting Wi-Fi traffic, etc. So, testing all these
vectors is required for any successful pen testing program.
Pen tes'ng implies I’m trying to
get thru your network firewall –
historically, yes – GET INSIDE –
Has evolved – of course I got
through your firewall, what
damage can I do now?
User creden'als – applica'on
Not just network
All these vectors are important in
any successful pen test
Pivoting across systems, devices, and applications
(vectors) establishes a new source of attack on the
compromised target, revealing how chains of
exploitable vulnerabilities open paths to your
organization’s critical systems and data.
It’s a good idea to test at regular intervals; after all you
wouldn’t skip your own checkup, right? Penetration
testing should be performed on a regular basis to create a
more consistent and lower-risk security program. In
addition to regularly scheduled analysis and assessments
required by regulatory mandates, test when:
•
New network infrastructure or applications are added
•
Significant upgrades or modifications are applied to
infrastructure or applications
•
New office locations are established
•
Security patches are applied
•
End user policies are modified
Pen Test
to Avoid a Mess.
Intelligently manage vulnerabilities
Through penetration testing, you can proactively identify the most exploitable
vulnerabilities and eliminate false positives. This allows your organization to prioritize remediation efforts, apply needed security patches, and efficiently allocate security resources.
Avoid the cost of network downtime
Recovering from a security breach can cost your organization big time–customer protection and retention, legal activities, discouraged business partners, lowered employee productivity, and reduced revenue–just to name a few pitfalls. Pen testing helps you avoid these financial drawbacks by identifying and addressing risks before attacks or security breaches occur.
Meet regulatory requirements and avoid fines
Penetration testing helps organizations address regulatory requirements such as PCI-DSS. This can be a formidable task requiring a combination of resources, time, and a little bit of planning. Detailed reports showing test results and validating remediation efforts can help you avoid significant fines for non-compliance and allow you to illustrate ongoing due diligence to assessors.
Preserve corporate image and customer loyalty
Even a single incident of compromised customer data can be costly in terms of lost revenue and a tarnished brand image. With customer retention costs higher than ever, no one wants to lose the loyal users that they’ve worked hard to earn, and data
breaches are likely to impact new business efforts. Penetration testing helps you dodge these avoidable incidents that put your organization’s reputation and trustworthiness at stake.
A pen test can be broadly carried out by following a six-phase methodology: Planning and Preparation, Discovery, Penetration Attempt, Analysis and Reporting, Clean Up, and
finally Remediation.
Pen testing is not a guessing game. "
Like everything in information security,
there’s a process.
PENETRATION
TESTING
METHODOLOGY
Planning and Preparation
Clear goals equal clear results
Meet with your team to discuss the scope, objective, and who will be involved in the testing. Before diving in, you must decide on a clear objective and of course get authorization from IT operations.
Scoping
After setting a distinct goal, such as exploiting recently discovered vulnerabilities in your shiny new HR application, the next action is scoping. Identify the machines, systems and network, operational requirements and the staff involved. The way in which the pen test results will be illustrated should also be decided. Discussing timing and coordinating with IT operations is vital, as it will ensure that while the penetration tests are being conducted, business as usual remains business as usual.
Discovery
Obtain open, accessible data from your targets. It’s time to get vulnerable!
During this phase, the team performs reconnaissance against a target to gather as much information as possible to be utilized when penetrating the target. There are many ways to gather this data and it depends on the target (Network, Web, or Client).
Network Discovery: Attempt to discover additional systems, servers, and devices Host Discovery: Determine open ports on these devices
Service Interrogation: Interrogate ports to find actual services running on them
A penetration tester will most likely use automated tools to scan target assets for known vulnerabilities. These tools will most likely have their own databases detailing the latest vulnerabilities. Completion of this vulnerability assessment will produce a list of targets to investigate in depth.
Sometimes the results from these scans can be overwhelming, with thousands or even tens of thousands of assets and vulnerabilities. So, it’s important to ensure you have effective
prioritization methods in place that can provide contextual information behind these
vulnerabilities to equip you with the information you need to make a decision on what to test first.
Penetration Attempt
Exploit-a-thon.
Knowing a vulnerability exists on a target doesn’t necessarily mean it can be exploited easily. So, it’s not always possible to successfully penetrate even if it is theoretically possible. Exploits that do exist should be tested on the target before conducting any other tests.
Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits on other internal resources. Very often this is achieved through higher levels of security clearance and information via privilege escalation.
The penetration attempts don’t end here. Organized social engineering campaigns with phishing emails can also be effective at gauging employee awareness, the impact of their behavior, and adherence to existing security controls.
Analysis and Reporting
So, tell us all what you found.
The report should start with an overview of the penetration testing process, followed by an analysis of high-risk vulnerabilities. These critical vulnerabilities are addressed first with lower-risk vulnerabilities following in suit. To strengthen the decision making
process, vulnerability prioritization is a must. Organizations may accept the risk incurred from less critical vulnerabilities and focus on fixing the most critical that could negatively impact business processes. The other contents of the report should be as follows: • Summary of successful penetration scenarios
• Detailed listing of information gathered during penetration testing • Detailed listing of vulnerabilities found
• Description of all vulnerabilities found
• Suggestions and techniques to resolve vulnerabilities found
Clean Up
Go Clean Your Room!
Unfortunately, messes can happen as a result of pen testing. A detailed and exact list of actions performed during the penetration test should be recorded. Compromised hosts should be restored to their original state, so they don’t negatively impact the
organization’s operations. This activity should be verified by the staff to ensure it has been done successfully. Poor practices and improperly documented actions during a penetration test will result in a long, painful clean up process.
Remediation
Patch it up.
Patching is vital. The final phase of the six-phase penetration testing methodology is all about remediation. Once the testing exercises have been completed on the target systems, all available patches should be deployed according to the criticality of the vulnerability. The vulnerability reports resulting from the previous phase will show
exactly which exploits were executed, the host they were found on, and the name of the vulnerability (CVE) if there is one. After patches have been deployed, it is a best practice to validate remediated vulnerabilities to ensure they were properly mitigated.
All available patches should be
deployed according to the criticality
of the vulnerability.
Key Takeaways
1. Go beyond network testing, please.
2. Vulnerability scanning is not penetration testing.
3. Conduct penetration testing as often as necessary.
4. Follow the steps: Penetration testing is an art form, but
it’s vital to follow a methodology to ensure success.
5. When the penetration test is complete, make sure to
clean up after yourself.
6. Remember to validate remediated vulnerabilities to
ensure they were properly mitigated.
The value you can gain from conducting a penetration test is often dependent on your organization’s choice in a partner.
Core Impact Pro® is the most comprehensive multi-vector solution for assessing and testing security vulnerabilities throughout your organization. Leveraging commercial-grade exploits, users can take security testing to the next level when assessing and validating security vulnerabilities. We can help
you Think Like An Attacker™ and protect your most critical business assets.
