- November 14, 2021
- By Cyberarch Admin
By definition, penetration testing is a method for testing a web application, network, or computer system to identify security vulnerabilities that could be exploited. The primary objective for security as a whole is to prevent unauthorized parties from accessing, changing, or exploiting a network or system. It aims to do what a bad actor would do.
if we tell that in simple terms in the current 21stcentury, security is an essential aspect of every activity. It concerns even the simplest things, for example, when we leave home and nobody is in a flat or house, a closed door is a must. The same situation is relevant for a car. Or one more example, people do not tell every stranger the pin code of their credit cards.
But if to think broader, huge corporations do the same – they just ‘close their door not to have their data stolen’. In the IT field, special attention is paid to the system security and network security. The organizations like cyberarch perform a set of special tests which consists of the compliance audit, access control testing, security assessment, vulnerability scanning, physical security testing and etc in order to define the security of the network or the infrastructure.
Penetration Testing Approaches
Clients often ask for cyberarch guidance on whether they need to do a manual penetration test for a specific application or if automated testing suffices. Here we try to briefly describe some of the advantages and disadvantages of each method and explain our preferred approach.
Generally, there are two approaches to application penetration testing:
- Automated Testing
- Manual Testing
Security testing engagements may involve either of the above, or commonly a combination of both, depending on the project scope, goals, and available time and budget.
Automated Penetration Testing
- Speed: Automated tools work at a much faster rate by order of magnitude. It is much more difficult to manually test each component, service, and protocol manually with the same speed that a machine or script can.
- Coverage: Capable of covering larger attack surfaces with more ease by implementing crawling of web applications to identify potential attack inputs especially “low hanging fruit” and technically related vulnerabilities. Manual testing would require a large amount of time and skill to guarantee the same coverage and comparison to known vulnerabilities. Difficult for automated tools to accurately test in-house web applications and services which can result in missed logical vulnerabilities.
- Efficiency: The processing capabilities of a machine are excellent. Automated tools can initialize and execute a large number of payloads for each test, but may not choose to execute the payloads correctly for each scenario. Usually, fuzz the application with multiple payloads and then wait for a reaction.
- Qualifications: Automated tools have gone through intensive product testing for reliability and validity especially for professional versions. Manual testing skills are solely based on the individual pen tester’s expert skill set and experience.
- Reporting: Reports can be created easily and quickly. Usually, have graphical features such as charts for effective visual data comprehension. Can be generic output that may not be capable of describing how the finding was validated.
- Investment: Open source tools and vulnerability scanners are usually free, but lack support or warranty. Professional licensing for vulnerability scanners and other automated tools can range dramatically in costs.
Manual Penetration Testing
- Effectiveness: Automation alone is not capable to ensure that an application is thoroughly tested from a security perspective. Automated tools are poor at testing for logical vulnerabilities. Logical vulnerabilities require an understanding of the scope and flow of the application to identify any security issues. Certain findings, for example, CSRF (Cross-Site Request Forgery) and business logic vulnerabilities need to experience certified security professional to be capable to exploit and validate all potential security scenarios.
- Validity: Automated tool results usually contain a large number of false positives and negatives (30% to 90% depending on methodology and product) that can create a false sense of security or lack of security. These inaccuracies exist due to the lack of tool capabilities. It is the responsibility and expertise of the manual tester initializing the automated tool to validate the results and identify the true security findings.
- Accuracy: Automated tools are only as reliable as their updates. If a new vulnerability or exploit has been introduced into the environment without a known category (i.e. zero-day), it is impossible for the automated tools to discover and identify the security threat. In manual testing, it is possible for the tester to create their own exploit depending on the situation and vulnerability. This allows the execution of comprehensive testing methodology that automated tools will overlook and fail to detect.
- Custom Reporting: Once the penetration test is complete, the tester is capable of creating a comprehensive report that is as individual as the test results. At its most basic level, it will describe the vulnerabilities found, exploits used, data collected, risk rating, supportive evidence, affected assets, and mitigation recommendations. These reports are fine-tuned to the needs of the client so they gain the greatest security understanding of their infrastructure, application, or device.
- Investment: The costs of manual testing depends on the scope and size of the engagement. In most penetration testing engagements, the cost and licensing of additional automated tools are covered under the negotiated penetration test contract unless special requirements call for installation of additional devices. In comparison, the cost of a data breach is growing exponentially as shown in current studies.
In final words, cyberarch recommend leveraging a combination of automatic and manual techniques. Assessments can start by some automated testing to cover a broader scope at a low depth, narrow down the project scope, and pick the low hanging fruit. Testers can then follow-up with a manual testing phase to dig deeper into the areas of most interest or risk.
Types of Penetration Testing
The list below outlines the most popular penetration testing types as well as the information commonly requested by pen test providers to help scope an assessment. Pen tests vary in focus, duration, depth, and secrecy, so it’s important to ensure that any details supplied are correct in order to receive an accurate quotation.
Network Penetration Testing
This type of test includes both internal and external network exploitation testing through the emulation of hacker techniques that penetrate a system’s network defenses. Once the network has been compromised, the tester can potentially gain access to the internal security credentials of an organization and its operation.
Testing of a network includes identifying:
- Threat Modeling
- Vulnerability Scanning & Analysis
- Firewall bypassing
- Router and proxy server testing
- IPS and DPS evasion
- Open port scanning
- SSH security attacks
Network testing is more in-depth than standard penetration testing and locates vulnerabilities that basic scans may not find, all to create a safer overall network.
Web Application Penetration Testing
Application tests search for server-side application vulnerabilities. The penetration test is designed to evaluate the potential risks associated with these vulnerabilities through web applications, web services, mobile applications, and secure code review.
The most commonly reviewed applications are web apps, languages, APIs, connections, frameworks, systems, and mobile apps.
Client Side & Wireless Network Penetration Testing
Wireless and client-side tests inspect relevant devices and infrastructures for vulnerabilities that may lead to compromises and exploits to the wireless network.
wireless exploitation has the potential to reveal all encrypted information including credit card numbers, passwords, chat messages, emails, and images. Injection and manipulation of data is also a possibility, leading to the potential for ransomware or malware attacks that could threaten the entire system.
To prevent wireless network hacking, check for the following during pen testing:
- unauthorized hotspots and access points
- wireless network traffic
- encryption protocols
- MAC address spoofing
- media player or content creation software vulnerabilities
Social Engineering Penetration Testing
Social engineering tests search for vulnerabilities an organization could be exposed to based on its employees directly. In this case, creative testing must be designed to mimic real-world situations that employees could run into without realizing they’re being exploited.
These tests not only help with internal security strategy amongst co-workers but allow security teams to determine necessary next steps in cybersecurity.
Specific topics such as eavesdropping, tailgating, or phishing attacks; posing as employees; posing as vendors/contractors; name-dropping or pretexting; gifts or dumpster diving; bluesnarfing; quid pro quo; or baiting, are common testing practices.
Bad actors typically possess social engineering skills and can influence employees to create access to systems or sensitive data. When used in conjunction with other physical tests, social engineering testing can help to develop a culture of security throughout an organization
Physical Penetration Testing
Physical penetration testing prevents hackers from gaining tangible access to systems and servers by ensuring that facilities are impenetrable by unauthorized personnel. IT and cybersecurity professionals focus primarily on system vulnerabilities and may overlook aspects of physical security that can result in exploitation. Physical penetration tests focus on attempts to gain access to facilities and hardware through RFID systems, door entry systems and keypads, employee or vendor impersonation, and evasion of motion and light sensors.
Physical tests are used in combination with social engineering such as manipulation and deceit of facility employees to gain system access.
Cloud Penetration Testing
Public cloud services have become increasingly popular for compute, networking and storage. Companies and employees may be able to store backups and all types of data in the cloud. This makes it a prime target for hackers.
But, with the ease of cloud deployments comes complexities in handling cloud security as well as legal obstacles. Not to mention, many public cloud providers have a hands-off or shared responsibility approach to security, forcing the organization to take responsibility for cloud security.
If your organization wants to perform a cloud penetration test, you may need to notify the cloud provider your intent to carry out the test. Be sure to ask the cloud provider about what areas are off limits. For instance, AWS only permits testing on EC2, RDS, Aurora, CloudFront, API Gateway, Lambda, Lightsail and DNS Zone Walking and small and micro RDS instances as well as small, micro, and nano EC2 instance types are not permitted.
Once you have the approval from the cloud provider, you may be able to proceed with pen-testing.
Some of the common testing areas for cloud services include:
- Compute security
- Applications and API access
- Database and storage access
- VMs and unpatched Operating Systems
- SSH and RDP remote administration
- Poorly used firewalls and password
Public cloud penetration testing can be a bit difficult. In this situation, you will likely want to employ white box testing, having more knowledge about the environment before testing. Public cloud service providers often restrict or limit a customer’s ability to perform penetration tests because of the multi-tenant or shared nature of Infrastructure as a Service (IaaS).
Be aware that if you’re a Microsoft Azure customer, you must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement documentation to start pentesting. If you’re an Amazon Web Services (AWS) customer, you will need to fill out the AWS Vulnerability / Penetration Testing Request Form.
Why Penetration Testing Is Important
In today’s climate of business insecurity, it is becoming increasingly important for businesses to take every conceivable precaution to protect themselves and their assets from risk and breach. You only have to look in a newspaper or go online to read about the latest hack attack or security breach to realize that business is facing these dangers every day. Millions of pounds/dollars are being lost, and countless crucial data sets are being compromised. These security breaches can cause loss or significant damage to people, brands, reputation, and profits.
What might at first appear to be nothing other than an innocuous theft or minor breach of security can quickly escalate into something far more sinister and damaging? That’s why it is crucial that all business put in place resilient and reliable security systems. These systems should guard against attacks to personal, physical and information security. But how can businesses be sure that their security systems are effective and robust? Well, that’s where physical penetration testing comes into the equation. Regular penetration testing will ensure that the security systems offer adequate protection against real and potential threats. In short, penetration tests will tell a business whether its security systems are working as intended.
Independent physical penetration testing is a method of testing the security of a business using social engineering techniques which are realistic but designed in a way that makes it non-disruptive to the client. Independence from the company providing the on-site security services, or suppliers of security equipment, is vital to ensure there are no conflicts of interest. Businesses are often at their most vulnerable out-of-office hours. Lack of a clear-desk policy can lead to serious security breaches. It’s surprising how often sensitive papers are left out and open for viewing by non-secure employees out of hours.
Why Cyberarch Cybersecurity and Penetration Testing Services
Our, Cyberarch penetration testing services are designed to specifically target your company’s infrastructure and identify your key assets and the protection they are provided. We begin by profiling your systems and looking for weaknesses or oversights that can be exploited: we then use this information to penetrate further into your network. Once the initial identification stage has been completed we can test your most critical systems as either trusted or untrusted users. We use all known vulnerabilities to baseline your security posture.
Typical targets we investigate include but are not limited to:
- IOT Devices and Servers
- E-Mail servers
- Research and Development systems
- Database servers and storage
- Websites and E-commerce systems
- Remote entry points Trusted systems (Including your security systems)
In Cyberarch, we have internationally recognized ethical hackers to safeguard your network, Infrastructure, Once the test has been performed we will provide a report on the findings and brief you on-site on how these weaknesses can be eradicated.