WHY PENETRATION TEST ?
Penetration Testing (sometimes referred to as Ethical Hacking) can identify vulnerabilities in applications, networks and system before they can be maliciously exploited by attackers in production, saving organisations money, time and reputational damage.
Through conducting thorough vulnerability assessments and / or penetration tests that assess the security of your applications, networks and system, the penetration tester can provide a detailed assessment of the security of your systems and list of any vulnerabilities found. The penetration tester will be able to demonstrate how to exploit any discovered vulnerabilities without causing any harm to the target systems, be able to assess the impact of the vulnerabilities and show how they can be remediated.
VARYING APPROACHES FOR PENETRATION TESTING
There are a number of approaches for penetration testing, depending on the position of the attacker (internal position vs. external position) and whether the attacker is afforded knowledge of the system or has to gain knowledge of the system through discovery, exploration and reconnaissance techniques.
• BLACK BOX - Tester has little to no information about the application / systems under test, simulating an external attacker with limited knowledge of the target.
• WHITE BOX - Tester has full (administrator) access, documentation, configuration, source code and knowledge of the application / system / environment under test. More time can be spent on exploiting issues rather than information discovery.
• GREY BOX - A trade-off between black and white box. Tester has partial knowledge of / access to the application / system under test without access to source code and less dependency on developer assistance during the test.
PENETRATION TEST PROCESS
We follow a broad methodology for penetration testing, which is determined by the approaches described above and the amount of information gathering / reconnaissance we have to do, and / or what we are already given.
i). PLANNING / PREPARATION - This is the initial step where the penetration test is meticulously planned, defining the team, timeframes, required tools, and the systems in scope for testing.
ii). RECONNAISSANCE / INFORMATION GATHERING - The penetration tester attempts to gather information about the target which can be used to plan and construct attacks which can assess the security of the system. It may include an element of threat modelling to identify where potential and likely threats may come from and concentrate on.
iii). VULNERABILITY SCANNING - The penetration tester uses manual techniques and automated scanning tools to explore application, infrastructure and network weaknesses which could possibly be exploited.
iv). VULNERABILITY ASSESSMENT - The penetration tester uses all of the data from the previous two phases to identify potential vulnerabilities and determine whether they can be exploited.
v). EXPLOITATION - The penetration tester then attempts to infiltrate the system by passively exploiting the vulnerabilities identified in the previous phase, to gauge what extent is the penetration tester able to exploit these weaknesses and to what extent is the security of the system at risk to attack.
vi). REPORTING / CLEAN UP - The penetration tester prepares and presents a summary of the test with detailed reporting into the test activity, the findings of the test, the exploits achievable and their consequence, the recommendations for remediating issues and improving processes by providing guidelines to incorporate security testing into existing software development lifecycles.
THE TYPES OF TOOLS AVAILABLE FOR PENETRATION TESTING
The scope and technologies involved in the penetration test may require more that multiple penetration test tools are used in the exercise, therefore penetration tests require specialists with knowledge of multiple penetration test tools in multiple areas and how to uncover vulnerabilities using them.
• STATIC APPLICATION SECURITY TESTING (SAST) TOOLS - Fortify Static Code Analyzer, Veracode, SonarQube - Can we identify potential security issues just by scanning the application source code ?
• DYNAMIC APPLICATION SECURITY TESTING (DAST) TOOLS - Fortify WebInspect, OWASP Zed Attack Proxy, Burp Suite Professional - Can we exploit security issues in the running application ?
• NETWORK SCANNERS - Zenmap / Nmap - Can we check the network / infrastructure for vulnerabilities such as insufficiently protected open ports ?
• PACKET SNIFFERS / NETWORK MONITORING - Wireshark, Telerek Fiddler - Are we able to read and write data transmitted over unsecure or compromised networks ?
• SQL INJECTION / DATABASE TAKEOVER - sqlmap - Can we perform SQL Injection attacks to bypass login, return sensitive data from the database or even drop database tables ?
• SOFTWARE COMPOSITION ANALYSIS (SCA) TOOLS – Fortify Software Composition Analysis, OWASP Dependency-Check - Are we using outdated and vulnerable 3rd party components and frameworks in our applications ?
WHY DO WE NEED TO PENETRATION TEST REGULARLY ?
With constant changes in software, environments, third-party components, and evolving cyber threats, it's essential to conduct regular penetration testing to stay ahead of potential vulnerabilities. Regular testing helps you proactively identify and mitigate risks.
HOW CAN FIMATIX HELP ?
If you need guidance on your current penetration testing procedures, require an independent penetration test for compliance, or want to establish regular vulnerability assessments and penetration testing in your organization, Fimatix is here to help. Their expertise can provide the shield your digital fortress needs to withstand modern cyber threats and ensure your organization's security. Don't hesitate to reach out to Fimatix for assistance in fortifying your digital defenses.