Security Penetration Testing, also referred to as Pen Testing is an authorised simulated cyberattack on an IT system, performed to evaluate the security of the system. The output of the test would be a report to help the organisation understand their system’s potential vulnerabilities in order to take steps to rectify it.
A Security Penetration Test incorporates an internal and external security test of a client’s complete IT system:
A good 3rd party supplier should perform the following regime of testing:
Conduct an External Infrastructure Vulnerability Assessment and Penetration Test across external IP addresses from an unauthenticated perspective (without credentials) to identify vulnerabilities or areas that could lead to unauthorised access or the exposure or loss of sensitive data from an internet-based threat.
In addition, conduct a focused External Web Application Penetration Test (including Outlook Web Access and Remote Access) from an unauthenticated perspective (without credentials).
This can also include an unauthenticated penetration test of specific applications. These could be cloud–based applications and include integration testing with the client’s internal Management systems, with a focus on authentication and authorisation methods, password policies and user management.
Conduct Internal Network Infrastructure Vulnerability Assessment of Servers and Workstations / telephones. In addition, while onsite, conduct a Wireless Penetration Test across Wi-Fi networks.
Approaches to External and Internal Penetration Testing
The overall approach is designed to be comprehensive in scope, yet very targeted so that in a short period of time, identify critical issues and vulnerabilities, and provide the client with immediate and practical steps to reduce the priority risk areas in the context of their organisation’s environment.
The testing approach is based on a number of recognised industry standards including the “Open Web Application Security Project (OWASP), Top 10”, the SysAdmin, Audit, Networking, and Security (SANS) “Top 25”, The Web Application Security Consortium Threat Classification and NIST SP 800-115.
The use of this methodology means that the client will receive the benefit of a proven, well-known ‘best practice’ approach to security testing, ensuring that well recognised ‘attack-vectors’ are comprehensively evaluated.
Vulnerability scanning is the act of identifying potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. The key word is ‘potential’. Vulnerability scanners merely identify potential vulnerabilities; they do not always assess the ability to exploit the vulnerability. Generally speaking, anyone with networking experience could run a vulnerability scanner, however it requires someone with significant networking and security experience to correctly configure scans of Production environments and interpret the multitude of results generated by a vulnerability scanner.
Penetration testing takes the results of a vulnerability scan and with the use of a number of approaches, techniques and tools, attempts to use the vulnerabilities identified to compromise devices. Penetration testing tools are much more sophisticated than vulnerability scanners and require a significant amount of experience to use effectively and safely. There are varying levels of penetration tests ranging from ‘sanitised exploits’ that can validate the existence of vulnerability through to the actual compromise and control of a system, device or database.
The analysis is carried out from the position of a potential attacker. Once potential threats and vulnerabilities have been identified the penetration test involves attempts to actively exploit security vulnerabilities with the goal of the test being to ascertain whether unauthorised access to key data and systems can be achieved and to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered. Any security issues that are found will be presented together with an assessment of their impact and a proposal for mitigation or a technical solution prior to attempts to perform any exploitation of vulnerabilities.
The approach to the Internal Testing component is very similar to Part One. In addition to this, an onsite test of the wireless network physically located at the client’s office will be performed, with the view to seeing whether access is able to be gained to the network externally.
Typically, the review will consist of an examination of the following aspects;
Once potential threats and vulnerabilities have been identified it will be ascertained whether unauthorised access to the network and systems can be achieved and then to determine the feasibility of an attack and the potential business impact of a successful exploit, if discovered. Any security issues that are found will be presented together with an assessment of their impact and a proposal for mitigation or a technical solution prior to attempts to perform any exploitation of vulnerabilities.
This approach to testing is uniquely valuable because:
At the conclusion of this testing, the client will receive a comprehensive but concise Management Report that identifies apparent threats and risk exposures as per the previously described scope. The “checklist report” will highlight key, prioritised issues to be considered for resolution. These will be factually based and aligned within the context and business of the client.
This will include an executive summary level explanation of any issues identified, including detailed information on how the client can close technical vulnerabilities that have been identified.
Specifically, the deliverable findings will be presented in a comprehensive document that includes:
1 a. An executive summary which provides senior management with a summary and non-technical description of any vulnerabilities
1 b. Detailed findings of each item found
1 c. Pragmatic recommendations for remediation of risk identified, and in the context of the client’s business and security requirements
1 d. Details of the scope and timing of the assessment; and
1 e. Where appropriate, additional information collected during the review.
The overall timing of the project would extend over a two (2) to three (3) week calendar period.
If you’re interested in conducting robust Security Penetration Testing with the help of senior, experienced professionals, contact us.