GET A QUOTE

Penetration Testing Tips and Techniques

SEE MORE CYBERSECURITY SAMPLES
VIEW PORTFOLIO
MAY NOT BE REPRODUCED WITHOUT PERMISSION


For most businesses, it is not a matter of if you will have a cyber-attack, but when.

When a breach does occur, the results can be costly.  The average cost of a single cyber security breach can be enormous.  A study from the Ponemon Institute tracked the hard dollars spent to recover from breaches over the past two years.  The results showed the global average cost of a data breach is $3.86 million. That’s an increase of 6.4% from 2017.  U.S. companies are most at risk.

Breaches for the largest companies were studied separately.  Costs to recover from so-called “mega breaches” are projected to cost companies between $40 million and $350 million.

Some breaches result in significantly more costs, including lawsuits, penalties, and fines.  That doesn’t include the hidden costs, such as loss of trust and damage to your brand or the loss of customers.  In many cases, proprietary data and sensitive customer data is exposed and potentially lost forever.

What Is Pen Testing?

A penetration test is sometimes called a pen test or white hat hacking.  It is comprised of a series of simulated cyber attacks on your computer systems and networks to discover vulnerabilities.  While the main objective of pen testing is to identify weakness in your organization’s security, it is can also be used to test your security policies, employee compliance with policies, detection and response to security incidents, and compliance with laws, rules, and regulations.

Why It Is Important To Pen Test?

Hackers are looking to exploit flaws in your system.  Penetration testing puts your system through the same stress as cyber criminals would in order to discover weaknesses before the bad guys can.  A controlled cyber security professional can identify risks and help with remediation to prevent future attacks.

These simulated attacks reveal where you need to invest in security.  By exposing the greatest weaknesses, you can maximize where you spend your security dollars.

Pen tests provide an outside perspective on your security.  When cyber security is done in-house, even with a team of great IT professionals, you can be left with blind spots. An outside perspective is like getting a second opinion from pros that know the latest techniques.

While businesses of all sizes are at risk, small to medium-sized businesses are most at risk.  Nearly 50 percent of small businesses have already experienced an attack, according to the National Cyber Security Alliance.  66% of small businesses that have breaches are forced to shut down for some period of time.  60% go out of business within six months of an attack.

Here’s another reason to conduct pen testing.  When a breach does occur, they often go unnoticed for significant periods of time.  The average breach can take as many as 197 days to be discovered.  Once discovered, it can take more than two months on average to contain.  Obviously, the sooner a breach can be discovered, the less damage that is done. Companies that uncovered a breach and started recovery practices within 30 days saved on average more than a million dollars.

No matter how well you implement your security procedures, you may still be at risk.  Outdated operating systems, uninstalled patches, vulnerabilities from third-party apps, new IoT (Internet of Things) devices, and BYOD (Bring Your Own Devices) policies all create additional risks.  Studies show that only 47% of companies patch vulnerabilities when they become known.  Such an exploit allowed hackers to compromise more than a billion Yahoo accounts.

Can Pen Testing Help With Compliance?

Depending on your industry, you may have strict compliance regulations.  Even if your industry does not have regulations, you may do business with other companies that do.  In each case, you are responsible for meeting strict security protocols.

Just about anyone that does business with the government is subject to National Institute of Standards and Technology (NIST), ISO 27011Federal Information Security Management Act (FISMA), or Defense Federal Acquisition Regulation Supplement (DFARS) rules.  You may be required to follow Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) rules. If you store or transmit data from cardholders, such as credit cards, Payment Card Industry Data Security Standards (PCI-DSS) rules apply.

Penetration testing can reveal vulnerabilities that violate the provisions of these rules and regulations.  It can also provide documentation of security procedures and protocols that are required.  Several of these requirements require not just passive and active monitoring of security threats but documentation of efforts to maintain high-level security.  Pen testing may itself by a requirement.

Laws, rules, and regulations are evolving as well.  If you do business anywhere in the European Union, there are new data and privacy regulations that are now in effect under General Data Protection Regulations (GDPR).  Failing to follow these regulations can bring fines of 2% of gross revenue.  California’s newly passed California Consumer Privacy Act (CCPA) goes into effect in 2020.  Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) dictates how private businesses must handle personal data.

Even if you do not do business in the EU, California, or Canada, you may still be subject to some provisions depending on your online footprint.

How Often Should You Pen Test?

At a minimum, full-scale penetration testing should be conducted once a year to ensure consistent network security. Regular testing can make sure you maintain security while automated and ongoing testing can keep systems safe and help alert when breach attempts occur.

In addition, you should conduct pen tests whenever you add new network infrastructure of applications, make significant modifications, connect or establish new remote locations, apply security policies, or modify user policies.

How comprehensive your penetration testing is and how often you test will be unique to each organization.  Some businesses are required by law to perform security audits and provide proof at regular intervals.  Large businesses may have more data at risk.  Online companies may have more entry points and attack vectors.  Cloud infrastructure and open architecture may indicate more frequent testing.

Pen Testing Tools

Penetration tools used for testing will simulate real attacks and zero in on vulnerabilities.  Pen testers will scan for malicious code in applications that can pose threats.  It will prove encryption techniques and look for hard-coded values that allow for access or can be exposed.  Automated tools will provide thorough testing and detailed reporting.

Many of the pen testing tools that are used are modified open source software.  This allows pen testers to work with the same tools that cyber criminals use.

There are several hundred open source penetration testing tools available.  Here is just a brief list of some more commonly used tools:

  • Metasploit can be used on web apps, servers, and networks.  It also has built-in plugins for some other vulnerability scanners, including Nessus, Nexposte, OpenVAS, and WMAP.
  • ZAP (Zed Attack Proxy) is an open source multi-platform tool developed by the Open Web Application Security Project (OWASP).
  • Wfuzz is used for brute-force web apps.  Developed in Python, it can expose LDAP, SQL, and XSS injection vulnerabilities.
  • Wapiti performs black box testing using little or no information and provides support for both GET and POSTHTTP attack methods.
  • Nmap is an open source network mapper.  It identifies open ports on target hosts and can map network inventory and assets while exposing network vulnerabilities.
  • W3af allows for security testing frameworks developed using Python.  This tool can detect more than 200 types of security issues in web apps.
  • SQLMapis an automated solution for detecting SQL injection vulnerabilities, including Boolean-based, error-based, out-of-band, stacked queries, Time-based blind, and UNION query.
  • BurpSuite is a graphical testing tool for Web apps.  Its proxy function allows manual testing by intercepting all requests and responses between apps and browsers.
  • SonarQube is open source software used to measure source code quality.  Written in Java, it can also highlight vulnerabilities for cross-site scripting, DoS (Denial of Service) attacks, and memory corruption.
  • Kali Linux supports only Linux machines and can perform more than 600 penetration tests, computer forensics, and reverse engineering.
  • Nogotofail is a network traffic security testing tool developed by Google.  It detects TLS/SSL vulnerabilities and configuration issues, including MiTM attacks, SSL certificate verification issues, SSL injection, and TLS injection.
  • Cain & Abel is a password recovery tool for Microsoft Windows, which can crack many encrypted passwords and network keys.  It can surface security concerns about dictionary attacks, brute force, and cryptanalysis attacks.
  • Jack The Ripper (JTL) identifies weak password vulnerabilities on networks.  It cracks even complex passwords and surfaces brute force and rainbow crack attack vulnerabilities.  It works on UNIX, Windows, and DOS .
  • Iron Wasp can detect false positives and negatives.  This open source tool can detect more than 25 web application vulnerabilities including broken authentication, cross-site scripting, CSRF, hidden parameters, and privilege escalation.
  • Grabber is used to scan small web applications such as small-scale websites or forums.  Written in Python, it targets vulnerabilities such as back files, file inclusion, AJAX verification, and SQL injection.
  • Arachni is another open source tool for detecting vulnerabilities such as invalidated redirects, local and remote file inclusion, SQL and XSS injections.

The above list represents a sampling of some of the most popular pen testing tools.  There are literally hundreds of variants.

A Step-By-Step Process

Penetration testing is typically broken down into stages.  These phases are critical for both organizations and pen test professionals to understand and manage the process.

Pre-Engagement Interactions:  Planning & Defining Scope

Defining the scope and goals of the pen test, including systems to be addressed and which testing methodologies, will be implemented in the first phase.  This will also include creating a road map of networks, systems, and potential targets for testing.

It’s important for both parties to outline the logistics of the tests and have a clear understanding of expectations.  This will include goals and objectives and the legal implications of the testing process.  For organizations, you will be given options. You want to make sure these options align with your goals.

It is important you consider any legal requirements, compliance regulations, software agreements, and third-party agreements in outlining your penetration testing.

Reconnaissance or Open Source Intelligence (OSINT) Gathering

This includes an examination of publicly available information and extracting relevant information that hackers might use to target an organization.  This includes the identification of items such as:

  • IP addresses, subdomains, ports, and third-party connections
  • Technologies, App platforms, and infrastructure
  • Sensitive information such as API keys, AWS S3 buckets, and leaked credentials
  • Log files, backup files, client-side code, config files, database files, and Javascript libraries

This will likely mean identifying all critical information across networks, systems, routers, and access points.  Pen Testing companies may also need to identify additional information on their own to explore vulnerabilities and entry points.

Penetration testing can get very detailed.  Reconnaissance and open source intelligence gathering efforts need to look at targets through the eyes of cyber criminals, which means using some of the same techniques such as public records, financial records, and social engineering, including:

  • Tax Records
  • Quarterly and Annual Reports
  • Tax Records
  • Publicly known email addresses, usernames, and social networks
  • Port scanning, Reverse DNS, packet sniffing, and ping sweeps
  • Social engineering, blogs, forums, and websites
  • Documentation

There’s a lot of public data (and some not so public data) that’s accessible about your organization.  Most of the information is spread out across different parts of the internet and will take time to find and correlate.  Penetration testing experts should use intel and data collection practices as detailed in the OSINT (Open Source Intelligence) framework.

Threat Modeling & Vulnerability Identification

This phase of pent testing identifies specific targets within your networks and systems and maps attack vectors.  Testing will target and categorize high-value business assets such as technical data, customer data, and employee data.

It will also identify and categorize internal threats such as employees, management, vendors, and third-parties.  Similarly, external threats such as ports, web applications, network traffic, and network protocols will be examined.

Static scanning analysis will examine the code that drives applications and stress testing it to see how it reacts to various penetration tests while running.  Dynamic analysis provides a real-time view of performance and potential vulnerabilities.

This vulnerability scanning will help validate if vulnerabilities are exploitable.

Exploitation

Armed with a road map of potential breach point and vulnerabilities, pen testers will start to hone in and test the exploits that have been found.

Targeted testing will attempt to exploit access vulnerabilities.  Web application attacks try to uncover potential risks.  Once identified, expert testers will try to exploit these risks.  Attacks might include stealing credentials and data and escalating privileges to see what kind of damage can be done once cyber criminals can get into your network.

Depending upon on the scope of your pen test agreement, testers may focus on these most likely tactics cyber criminals deploy, including:

  • Network Attacks
  • Memory-based Attacks
  • Router and Wi-Fi Attacks
  • Web Application Attacks
  • Zero-Day Attacks
  • Physical Attacks
  • Social Engineering Attacks

Other testing will probe for the ability of hackers to maintain system access. Once a breach is discovered, mitigation efforts need to make sure cyber criminals do not have the ability to create a persistent presence within your systems.  You do not want to patch a vulnerability but allow hackers to maintain a backdoor into your system or have prolonged access to launch advanced persistent threats.

Post-Exploitation, Risk Analysis & Recommendations

After the exploitation phase has been completed, the goal is to document vulnerabilities.  The results of the pen tests are compiled into detailed reports showing uncovered vulnerabilities, data exposure, and what other damage can be done.  Reports will be prioritized to show the greatest vulnerabilities and recommend additional security procedures to implement in order to minimize the risks.

Reporting

The reporting phase may be the most critical part of your penetration test.  You will receive a written report detailing your threat risks and showing you what you need to do to improve your security.  It will show you exactly which entry points where discovered, tactics hackers might use to gain access and the damage that can be done.  It will also list tactics you can deploy to patch these vulnerabilities and fix security holes.

Your report will prioritize and rank vulnerabilities.  A typical report might categorize Extreme, High, Elevated, Moderate, and Low-Level threats.  You will also be presented with a road map of recommendations and a potential implementation schedule.

After the penetration test process is complete, your pen tester will clean up your environment.  This means removing software, scripts, files, and executables.  They will reconfigure setting back to original parameters (prior to the penetration tests), eliminate rootkits installed during the testing, and remove user accounts and elevation levels created during testing.

Different Types Of Pen Testing For Different Environments

Your specific environment will dictate which types of pen testsare needed.

Network testing

Accessing your network is like handing over the keys to the kingdom.  Once hackers get inside your systems, the potential for damage is great.

Networks:  External Pen Testing

In an external pen test, testers will assess external facing assets.  Tests will focus on various attempts to gain entry to company networks by leveraging vulnerabilities.  Email, website, and file/document sharing may be tested for exploits.

Reconnaissance and intelligence gathering scans for open ports and other external pathways into organization networks.  Successful breaching of these external entry points will provide the basis for internal testing.

Networks:  Internal Pen Testing

The assessment continues with internal systems.  Internal penetration testing focuses on places an intruder can access once they penetrate a network.  In a weak security environment, cyber criminals may have access to everything.  Internal security controls typically partition systems to avoid a total takeover.  When these roadblocks are encountered, internal testing will attempt to find detours to get around them.  Testers will prod and probe various systems within the network, attempting to access admin tools and increase credentials and authorizations to gain more and more control.

Read more about why both internal and external pen testing is important.

Applications Testing

Applications are nearly omnipresent in today’s business environment.  With cloud-based apps and constant internet connections, there are increased security threats that didn’t exist even a few years ago.

Applications:  Web Apps & Services

Web apps make up one of the most significant vulnerabilities that organizations have today.  Third-party apps are causing chaos in the business world.  As more workers are using mobile devices and mixing company and personal devices, the threat increases.

One recent study found malware, crypto mining software, and malicious code in more than half of the apps they tested that made it into the Android and iOS app store.  Spoofed apps and gaming apps have been found loaded with malware.  Half a million Android users installed an app that appeared to crash when executed.  Instead, it launched malware and deleted its icon tricking users into thinking it was no longer on their smartphone.

The number of mobile devices has now surpassed the number of desktop devices.  Nearly every single one is running some form of apps.  More than half of 15,000 tested mobile apps violated the Open Web Application Security Project (OWASP) list of Top 10 standards for data storage security.

Applications:  Thick and Thin Clients

When it comes to client/server architecture, you need to test both client or server that is handling the workload.  Thin client applications are typically small apps that provide a connection to network computing power.  The thin client provides the connection, but the heavy lifting is done on the server.  Thick clients do not need continuous server access.  It does the processing locally and connects mainly for archival, storage, or updates.

Thick clients are also known as heavy clients, rich clients, or fat clients.  Dynamic penetration testing can follow the data flow from the client to the server.  It will typically include input validation to test for items such as SQL or command injections, malicious file uploads, secure traffic and encryption, and session management.  Static testing may include reverse engineering, interception proxies, traffic analysis, and executable checking tools.

Thin client penetration testing focuses more on attempts to bypass authentication between the thin client and the server.  While there is little to no data on the client side, it provides an entry point for servers and may provide access to network resources.

Applications: Secure Code Review

This involves a manual review of the source code of a software system.  The source code will be audited to make sure the proper security controls are validated.  It will test logic, functionality, organization, and look for exploits.  It will also examine applications of ciphers for sensitive data and what happens during transmission and storage.

Other Environments

Your devices are only as secure as the network through which the data passes.

Wi-Fi Networks

An often-overlooked security threat is when company devices or data is used on public Wi-Fi networks.  Poor end-to-end encryption can put your data at risk of man-in-the-middle attacks.

IoT (Internet of Things)

With more devices using IoT technology, these additional connections open up other potential entry points.  IoT devices are predicted to grow from their current number of 11m worldwide in 2018 to 20m by 2020.  That would mean more IoT devices in service than there are people in the world.  You can’t afford to put your security in the hands of IoT manufacturers.

ICS/SCADA

ICS (Industrials Control Systems) and SCADA (Supervisory Control and Data Acquisition) networks are also common subjects of attention for cyber criminals.  They may be targeted to steal proprietary information about industrial processes as well as another access path to company networks.

Routers

Older equipment that may not have been updated are vulnerable to security threats.  Russian state-sponsored hackers showed exactly how easy it can be to backdoor into networks when they targeted millions of unpatched and legacy routers.  They managed to disrupt business, government, critical infrastructure producers, and ISPs.

Security audits, combined with penetration testing, can make sure you are up-to-date on software and firmware upgrades and detail potential threats.

Various Ways To Conduct Penetration Tests

Which type of testing you do and what you do test will be defined as part of your planning and pre-engagement interactions.  Different approaches can be used to provide different types of information.  

The most popular types include:

Blind Pen Test / Black Box Testing

A blind penetration test strategy simulates a cyber attack under specific conditions.  Testers may be provided with limited data about the target, such as only a company name or website address, prior to testing

Double Blind Pen Test / Covert Testing

Like the blind pen test, limited information is given to the team doing the security assessment and risk analysis.  At the same time, the tests are done in secret with only a few key company personnel let in on what’s happening.  This can be useful for testing a company’s internal monitoring and alerting systems.  It can also be used to judge identification, response, and remediation efforts after breach detection.

White Box Testing

In White Box testing, the team doing the testing has been provided with more information.  It may include details about IP addresses, network schematics, infrastructure, protocols, and source code.  This information is used to do a regimented, item-by-item threat assessment.

Targeted Pen Testing

Targeted penetration testing is focused on specific applications or critical business systems.  While it does not provide a review of an organization’s entire security threats, it does examine key operations of concern.  Because it is narrower in scope, there is reduced cost, minimal disruptions to operations, and can be completed more quickly.  Some businesses do targeted penetration testing of mission-critical operations prior to doing a more comprehensive test.

No System Is Bullet Proof

Even if you have invested in cyber defenses, recent experiences indicate that no systems are 100% bullet-proof.  Sophisticated hackers are constantly learning new tricks and techniques to breach your systems.

Hackers are no longer loners sitting in dark basements.  With the amount of money at stake and the damage that can be done, it is now the domain of organized crime and state-sponsored hackers.

If you have not been hit by a data breach or hacking attempt, congratulations!  You’re one of the lucky ones.  1 in four companies will experience a data breach in the next two years.

Trust RedLegg to help protect your organization with penetration testing.

  • Gain insight into the risks you face by identifying vulnerabilities and detecting potential breach points.
  • Prioritize the biggest threats and strategically plan your road map to safeguard your organization
  • Reduce the impact and likelihood of a successful breach and data exfiltration
  • Senior level assessors enhance your defense strategy with experience in your sector and vertical
  • Show stakeholders and customers your commitment to secure and protect their most valuable assets.

RedLegg’s innovative cyber security solutions deliver real results.  More importantly, they provide peace of mind.  From consulting to advising, proactive monitoring and battle testing, we can guide you through the process.  The cost of pen testing can vary greatly depending on your unique situation and how you need to approach security.  Estimating the cost of pen testing begins by filling out this short questionnaire to request a Penetration Test or an Application Security Assessment.

Get in touch with the security experts at RedLegg today and start protecting your organization.