What is Penetration Testing?
Penetration testing (also known as pen testing) is a simulated cyber attack carried out by ethical hackers to uncover vulnerabilities that could be exploited by malicious attackers in the future.
Why is penetration testing important for businesses?
The insights from penetration testing put organisations in a position to make important and informed decisions about cybersecurity solutions and risk management strategies.
The findings from pen testing can help businesses to evaluate their vulnerability level and risk exposure before a hack may occur.
Crest and Penetration Testing
Many businesses that carry out penetration testing have Crest accreditation. Crest is the only independent third-party technical information security certification recognised worldwide.
Penetration testing methodology
The approach to pen testing depends on the organisation’s size, industry and the technology that it uses on a day-to-day basis.
The specific methods and standards associated with penetration testing are also constantly evolving and expanding, with organisations adopting new approaches to stay one step ahead of criminals.
There are 3 main approaches to pen testing:
White box testing
This testing is done with full knowledge of the system’s design, structure or source code. In this case, the tester will have detailed information about what they are looking for and where to find it within the system.
White box penetration testing is typically used for functional system validation, showing that the software or application functions as expected under normal operating conditions.
The advantage of white box testing is that it provides greater awareness and insight into what is being tested and how it will behave. It can be used to identify security vulnerabilities that may not show up under other testing conditions.
Black box testing
This type of testing does not use any prior knowledge of the system being tested. Testers are usually given limited information about a system that they need to find vulnerabilities in or may be asked to exploit any weaknesses without specific details.
Black box testing is typically used when the tester wants to test how well their security measures work against an assault.
Grey box testing
Grey box testing is a mix of black and white box testing. Through grey box penetration testing, businesses can see if a person did what they were supposed to do, but they don’t know how they did it.
The main advantage of this approach is that an organisation can use their own network infrastructure while limiting access privileges. This gives testers higher levels of visibility into the network but does not give them the privilege to escalate privileges and access data.
Types of pen testing
Depending on an organisation’s potential vulnerabilities and preferences, pen testing can be carried out in many different ways.
The 4 main types of pen tests fall into the white box, grey box and black box testing categories:
External tests target the company’s assets that are findable on the internet (e.g. an internet-facing server) to see how unauthorised access can be gained and valuable data extracted.
In this instance, a tester will use their access to an application behind a firewall to simulate an attack from a malicious person who has access to internal systems. During this type of test, they will also check that user roles cannot be exploited by employees.
Examples of internal tests would be checking that all employees do not have access permissions for the organisation’s finance system or replicating the event of a member of staff having their login credentials stolen as a result of an email phishing attack.
With web application penetration testing, the ethical hacker will work to identify existing and potential security issues within a web application. This type of testing will include (but is not limited to) checking user authentication and database server security to make sure data cannot be easily compromised.
Similarly to web app testing, mobile application penetration testing will analyse the security of a mobile app or platform from an ethical hacker’s perspective. This includes checking for vulnerabilities such as in-app installation, malware and device configuration issues.
Typical techniques used to replicate a security system attack include:
- SQL injection – malicious server-side code injection
- Cross-site scripting – malicious client-side code injection into a web app
- API hacking – testing API methods and functionalities on a web app to see how these can be bypassed and abused
- Brute-force hacking – trial and error to guess login credentials
- Web application penetration – testing to demonstrate how a Web Application Firewall (WAF) needs to be strengthened to prevent unauthorised data access
The stages of penetration testing
There are 4 different penetration testing stages that CyberCrowd follow to test the security of a network or application. These are:
1. Intelligence gathering
This is the first stage of a penetration test. As the name of this stage alludes, it involves using several different tools and techniques to gather intelligence on the organisation.
During the intelligence gathering stage, active scanning and open-source intelligence (OSINT) techniques will be used to search closed sources (data not available through open inquiry) and search open websites as well as domains, footprinting (collecting information about computer systems and their entities) and identify protection methods.
What is active scanning?
Active scanning is where the tester will launch attacks against a computer system that is connected to the internet. Typically examples of actions taken as part of active scanning include sending commands from outside of the network to “scan” for vulnerabilities and system issues.
What is the OSINT framework?
This framework is a multi-factor methodology that involves the harvesting, merging, filtering and analysing data across publicly available sources, such as social media platforms, search engines and other sources available both online and offline.
2. Vulnerability Analysis
This second phase aims to discover flaws within a system or an application that could be exploited by a cyber attacker. The flaws identified may be system/app misconfigurations or platform insecurities.
When conducting a vulnerability analysis, the ethical hacker will use automated vulnerability scanners, metadata analysis and traffic monitoring. They will also refer to common/default password databases and public research to understand if there are any cybersecurity risks.
The end goal of the analysis is to find out about any known weaknesses that can be used as a basis for an exploitation plan using pen testing tools.
Once a plan has been put in place based on the intelligence gathered in the previous steps, the exploitation stage will take place, focusing on gaining access to the system or resources through a range of different methods. To ensure that all existing and potential vulnerabilities are exposed, this phase must be a well-planned and specific attack.
The techniques that the tester may use include:
- Initial access – through techniques such as spear phishing (targeted email scam)
- Privilege escalation – changing user permissions to increase data access
- Lateral movement – the use of techniques once initial access is gained to avoid detection and retain access within a system/application
- Credential access
4. Post Exploitation
The post-exploitation phase involves taking the access obtained and the attempts to extend, and elevating that access. Through doing this, testers can understand how the network or application interacts and how to pivot from one compromised machine or process to another.
Typical post exploitation techniques include:
- Infrastructure analysis – an assessment of the organisation’s internal and external networks to discover potential cybersecurity threats
- Pillaging – Gathering as much information as possible from the tested network or application
- Data exfiltration – this is where white hat hackers will imitate a hacker’s mission to extract data from the compromised system
- Persistence – Using backdoor (malware imitation) to gain remote access to a network or resource and creation of new user accounts
- Further business system penetration
On completion of a penetration team, the CyberCrowd team will remove all evidence of their presence from the tested resource and compile an in-depth pen test analysis that gives recommendations on how to fix the security issues identified through the practical testing.
We are a Crest accredited business that offers penetration tests and vulnerability assessments for businesses across a variety of industries. Curious to understand your organisation’s vulnerabilities to maximise your system security? Contact CyberCrowd today.