It is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient and which defenses (if any) were defeated in the penetration test.
A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper configurations, and even risky end-user behavior. Such assessments are also useful in validating the efficiency of defensive mechanisms, as well as end-user’s adherence to security policies.
Penetration tests are typically performed using manual or automated technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices and other potential points of exposure. Once vulnerabilities have been successfully exploited on a particular system, testers may attempt to use the compromised system to launch subsequent exploits at other internal resources, specifically by trying to incrementally achieve higher levels of security clearance and deeper access to electronic assets and information via privilege escalation.
Penetration testing should be performed on a regular basis to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities may potentially be assailed by attackers.
In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run whenever:
Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt. Example of these standards include not to mention any sensitive information in email or phone communication. Security audits can be conducted to identify and correct process flaws.
Using software methods one can verify if the system is exposed to security vulnerabilities.
Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.
Automated tools can be used to identify some standard vulnerability present in an application. Pentest tools scan code to check if there is malicious code present which can lead to potential security breach. Pentest tools can verify security loopholes present in the system like data encryption techniques and hard coded values like user name and password.
PCI DSS (Payment Card Industry Data Security Standard), OWASP (Open Web Application Security Project), ISO/IEC 27002, OSSTMM (The Open Source Security Testing Methodology Manual).
Targeted testing is performed by the organization’s IT team and the penetration testing team working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.
This type of pen test targets a company’s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
This is a straightforward opportunity and a mature offering. The biggest question you’ll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer’s networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.
This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You’ll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses — that’s what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer’s defenses.
Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP’s WebInspect, IBM’s AppScan), but you should also invest in some people that know how to exploit application logic errors. There’s no substitute for a skilled application tester to determine what’s broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It’s much better for you to figure this out than a malicious hacker.
This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don’t have a set of rules. They use social engineering because it works. Don’t let social engineering surprise your customer and catch them off-guard.
This is a straightforward opportunity and a mature offering. The biggest question you’ll face is whether to resell a service offering (like that from Qualys) or to buy a tool and use it internally to scan your customer’s networks and systems. Scanning is one of the requirements for nearly every regulation, so this is an easy step along the path to security assurance, since all of your regulated customers need to scan.
This offering involves a tool that uses live exploits, like Metasploit or Core Impact. You’ll use live ammunition, so orchestrate these tests with the client to ensure the minimum amount of disruption. You should test all externally visible IP addresses — that’s what the bad guys out there can see and are likely trying to penetrate. You may also want to see what you can find if you attach to a conference room network, one of the softest parts of a customer’s defenses.
Trying to break into applications is probably the most important step nowadays, given that so many attacks directly target applications. You can use a Web application scanner (HP’s WebInspect, IBM’s AppScan), but you should also invest in some people that know how to exploit application logic errors. There’s no substitute for a skilled application tester to determine what’s broken in an application. Once the initial application is compromised, go directly after the database, where the valuable stuff is. If you can get into the database, the customer is owned. It’s much better for you to figure this out than a malicious hacker.
This is actually the most fun task for penetration testers. You get to see how gullible most users are. This type of testing can involve emailing fake messages to customer service reps, trying to talk your way into the facility (past security or the receptionist) or even dropping thumb drives in the parking lot to see who will plug them into their machines. Many folks are against social-engineering end users, but not me. Remember, malicious hackers don’t have a set of rules. They use social engineering because it works. Don’t let social engineering surprise your customer and catch them off-guard.
For further assistance, contact us at info@agniinfo.com.
© Copyright 2024 Agni Information Systems (P) Ltd.