What is Penetration Testing?
Penetration testing, or Pen Testing for short, is a simulated attack on your network, users or web site/application, to check for vulnerabilities that could be exploited.
By carrying out testing, you can help guard against genuine attacks by removing the vulnerability, or mitigating it in some other way.
There are 4 main components to all of our security testing
We work with your executive team to identify the scope of the testing, the desired outcomes (report only, report and recommendations, or report, recommendations and remediation), the style of testing that is most appropriate and finally, the rules of engagement; identifying what is permitted, what systems or techniques are off-limits and the extent of the testing to be done, for example: should a domain admin privilege escalation vulnerability be exploited to it’s full potential by taking control of your active domain, or is a proof of concept sufficient, i.e. a “Kilroy Was Here” domain admin user is created .
Once the engagement has been agreed and scheduled, the reconnaissance and discovery phase begins.
This will include using automated scanners to identify open ports and network services that are available. Dependent on the type of testing being carried out, multiple scans may be completed from inside and outside your network.
These scans will help to identify the services that are running as well as discover potential vulnerabilities that could be exploited to get access to your network.
If the scope of testing includes user targetting, social engineering may be used to manipulate individuals into divulging confidential or personal information. This information can then be leveraged to exploit your network or applications.
With the reconnaissance completed, this information is aggregated and a plan is created on how the network or application will be attacked.
Using the potential vulnerabilities identified in the previous stage, our tester will then perform the test against them.
This can involve exploit tools in platforms like metasploit, or custom coded scripts to take advantage of specific vulnerabilities. Testing is usually carried out in order of ease of exploit and criticality, i.e. an easy to execute exploit that gains the highest level of access would be one of the earliest items tested.
During this part of the test our testing team will be in constant contact with your stakeholders. This keeps the relevant personnel up to date with the exploit process. Occasionally, a client may want to terminate this portion of the test early if a serious exploit is located in order to secure it immediately.
Once a particular vulnerability has been exploited, it may provide additional access into the network or application for further investigation.
If personnel exploits are included in scope, social engineering may be used to gain access by convincing a member of your staff to download and run a piece of software. USB drives, may be deliberately placed by our team around your premises. These drives would contain malicious software that would be installed automatically when connected to a computer. Allowing us to capture passwords, create users and extract sensitive data from your network.
Arguably, the most important part of penetration testing is communication. Our reports are written in plain english, explaining to the project stakeholders the vulnerabilities that were identified, how they were exploited and the outcomes or potential outcomes of such an exploit. Our reports contain non-technical descriptions of issues, as well as detailed technical deep-dives (where appropriate) into how the vulnerability was exploited.
Depending on the scope agreed, recommendations will be produced, and if so engaged, remediations would be made. It’s important that retesting is carried out to make sure that the vulnerabilities exploited are appropriately secured.
Types of testing
Black Box Testing
This testing is carried out from the perspective of an outside, average hacker – having little to no knowledge of the system or network under assessment. Due to the limited knowledge and access this testing takes the least amount of time, however, it may not reveal all vulnerabilities. Particularly if the outward facing network cannot be compromised.
Whilst most “realistic” in terms of vulnerability exploitation, it does not provide the same level of coverage as grey or white box testing. Serious internal vulnerabilities may exist that could be exploited by a bad actor inside your network.
Grey Box testing
Carried out as an “average” user, who would have access to the internal network or application. This style of test can identify vulnerabilities such as privilege escalation (gaining a higher level of permissions than allocated i.e. administrator access) or sideways movement (access to areas/systems that are not administrative but they should not be able to access, i.e. accessing a different department file share)
This testing provides a more focused assessment of the network or application security, and provides more insight into the external and internal vulnerabilities present.
White Box Testing
White Box is the most extensive form of testing. It is carried out with IT admin level access, including access to source code and any architecture documentation. This testing is the most likely to identify vulnerabilities inside your network or application due to the high level of access and the visibility offered by the documentation.
Due to the volume of data requiring analysis and inspection, this testing takes the longest time. It does however, provide the most complete insight into the systems being assessed.
Network Penetration Test
Network penetration testing sets out to attack your company network from the perspective of an external hacker attempting to gain access to your systems. It frequently also includes testing for vulnerabilities that internal bad actors may use to compromise your network.
It is carried out to identify the vulnerabilities that a malicious attacker would use to compromise your network. These vulnerabilities can then be reduced by patching, removing the service or mitigated in some other way.
If an attacker was able to breach your organisation, there are several risks to your business. Most commonly the attacker will try and acquire data on your business or customers, install malicious software to capture passwords and other user details or attempt to extort money, usually in the form of bitcoin, by installing ransomware on your network.
Vulnerability Assessment
Vulnerability assessments are carried out to look at the systems and services that are running on your network. They are used to identify items that may be out of date and have critical vulnerabilities that can be exploited by an attacker, or via an automated system.
A frequent problem is systems that should not be on your network at all, for instance, a laptop that an employee has brought from home, or a piece of software that was installed without permission. This “Shadow IT” poses a real risk to your business as it is likely not kept up to date, managed by individuals that do not understand the risks, and is likely to not be licensed correctly.
As it is not known about it is not going to be present on any asset or risk register, is not going to be included on any network documentation or business continuity plan.
Web Application Testing
Web application penetration tests are designed to examine your web sites and web applications for vulnerabilities. Some of the more serious exploits they look for are things that could be used to gain additional permissions, view other users information or extract data from your database directly.
A good web application test will examine your applications and sites in detail, identifying minor as well as major vulnerabilities and provide guidance on how to remediate them