Transcription
PENETRATION TESTING GUIDEwww.tbgsecurity.com1
Table of ContentsWhat is a penetration test? . 3What is the difference between “Ethical Hacking” and other types of hackers and testing I’ve heard about? . 3How does a penetration test differ from an automated vulnerability scan?. 3What are the goals of a penetration test? . 3Why should we have a penetration test performed?. 3What should we expect from the penetration testing process? . 4Is testing disruptive to our environment? Will our systems go down?. 4How often should we do a penetration test? . 4How is the scope defined for a penetration test? . 4What qualifications should the penetration testing team possess? . 5What documentation should I expect to receive when the testing is complete? . 5How do we prepare for a penetration test? . 5We have our website hosted with a third party. Should we test it? . 5Should we fix all of the vulnerabilities that are reported? . 5What are typical costs for a penetration test? . 6How much time is needed to perform a typical penetration test? . 6Can we do our own penetration testing? . 6My customer wants to see the results of our penetration test. Should I share the results with outside parties? . 7What are the different kinds of penetration tests? . 7www.tbgsecurity.com2
What is a penetration test?A penetration test is a study of theeffect of vulnerability against a targetor targets. The targets can consist ofsystems, networks, applications orpeople or any combination of these.During a penetration test, we assumethe identity of an attacker and attemptto gain unauthorized access, andthrough a series of attacks, expandour influence over our target ofevaluation.A penetration testmeasures the effectiveness of securitycontrols while being flexible enough toadaptasobstaclespresentthemselves.What is the difference between“Ethical Hacking” and other typesof hackers and testing I’ve heardabout?The terms Ethical Hacking andPenetration Testing are synonymous.Each refer to a sanctioned assessmentof security controls through an activeattempt to subvert said controls.Ethical Hackers are skilled in the samedisciplines that actual cyber hackers(criminals) are skilled in.Byleveraging this unique skill set it ispossible to get a “hackers eye view” ofyour environment.How does a penetration test differfrom an automated ility scans and penetrationtests is that penetration tests hwherevulnerability scans are far less awareand non-adaptive.But wherevulnerability scans lack in the way ofcontext, they make up for in the formof comprehensiveness. If vulnerabilityscan data were available to apenetration test, this informationcouldsurelyprovidevaluableintelligence that then could be used inmore sophisticated attacks that wouldnot be possible if a vulnerability scanwere used alone. Both solutions arenecessaryforatrulymatureapproach.What are the goals of apenetration test?The goals of a penetration test are notset in stone, but are insteaddetermined on a case-by-case basis.The penetration tester will meet withthe client before the onset of anengagement to gage the client’s goals.At the most rudimentary level the goalis to gain access to some network,system or application, in a mannerthat is covert and ultimately proves awww.tbgsecurity.comgenuine risk to a loss of confidentialityor integrity of sensitive data. If nospecific goals are set we will typicallyattempt to get in and escalate ourinfluence to that of a Domain Admin(assuming the environment is aMicrosoftActiveDirectoryenvironment).Why should we have apenetration test performed?Theinformationsecuritythreatlandscape is ever evolving, and simplepassive methods of protection can notpossibly keep up with new andexisting threats. A vulnerability scanis very good at finding known flaws,andanti-virus/anti-malwaredetection is likewise good at findingknown threats, but modern day threatactors are very good at exploitingwhat is not known.Despite anorganization'sbesteffortstoimplement security controls, thosecontrols are only as good as the sumof all of their parts, and it's just aseasy to mis-configurable any one ofthese parts as it is to properlyconfigure it. The penetration test, ina sense, is looking for that proverbialneedle in the haystack. We seek tofind the 1 or 2 issues within the largerinterconnected web of controls, andsee where each successful executionwill lead.A successful securityprogram is a combination of controls.3
Those mis-configurations are outthere, and what the professionalpenetration test will tell you is howwell the entire security program, withall of its controls, is situated to detectand detain these threats when theyappear.What should we expect from thepenetration testing process?A penetration test is an uncontrolledprocess in that the penetration testerstypically do not plan to interact verymuch with the target in a controlledway. Most tasks are subversive andcovert in nature, and therefore mustremain as uncontrolled as possible. Ifthe penetration test target is aninternal network, then a staged system(a dropbox) is typically deployed. Thistoo can be done in a covert manner aspart of a physical penetration test, orcould be placed on the network aheadof the initiation of the test by thecustomer. Testing will commence, andonce all testing activities arecompleted, reports will be generatedand delivered to the customer. Therewill typically be a debriefing and achance for customer comments. Anychanges to the draft reports will bemade and delivered.Sometimespenetration testers will be asked tovalidate corrective action measures andsometimesacustomermightcommission a full retest after a fullmitigation plan has been executed.Is testing disruptive to ourenvironment? Will our systems godown?Because penetration testing is largely amanual process, the penetration testerhas full control of what is done withinthe target of evaluation. It is generallynot very useful to a penetration testerto introduce a denial of servicecondition since one of the primary goalsof a penetration test is to be covert.The penetration test alone is extremelyunlikely to cause any servicedisruptions unless that is something theclient decides to include as part of thetesting parameters (which is extremelyrare).How often should we do apenetration test?Network and Application penetrationtests are often performed minimallyonce every year. Certain informationwww.tbgsecurity.comsecurity standards call for it to be donemore often when major changes occurwithin the network, when applicationupgrades occur or when infrastructureor architecture changes significantly(seePCIrequirement11.3).Additionally, many of our customersrequire any newly acquired software betested before being put intoproduction. This includes cloud basedSaaS and PaaS model applications. Thisis a very important point since much ofour sensitive data is moving into the“the cloud”. This move might removesome responsibility, but it does notautomatically remove the threats to theasset, and might even introduce newthreats.How is the scope defined for apenetration test?Scope is mutually agreed upon betweenthe client and the penetration testerand can vary significantly in sizeanywhere between 1 system to 1network or a number of networks. Thescope will be contingent on the goalsthe client is set for the penetration test.4
What qualifications should thepenetration testing team possess?Penetration testing teams shouldcontain multiple disciplines but mostcommonly a strong networking andprogram focus is necessary to achievethe desired results. Much of whatseparates a good penetration test froma mediocre one is mindset.Apenetration tester has a uniqueperspective when presented with a setof facts. Most people see what is meantto be seen while the penetration testeris capable of seeing what is there, buthidden. Since these soft-skills are hardto quantify it is necessary to interviewthe penetration tester to gain a feel forthe breadth of his/her experience.Check their resume and theirreferences before you buy.What documentation should Iexpect to receive when the testingis complete?At a minimum the penetration testershould deliver an executive summary offindings which includes an overview ofwhat was accomplished and what if anymajor issues were uncovered. Thisshould be followed by a detailedsummary report that outlines eachissue uncovered, an assessment of riskfor each issue with some contextexplaining how the risk rating waschosen and with recommendedcorrective actions clearly outlined. Afull walkthrough of the penetrationexercise should be included whererelevant. Oftentimes additional reportsmight also be delivered to support thefindings in the summary reports. Forinstance, it is common to runvulnerability scans during a penetrationtest, and those scan reports might bedelivered under separate cover.it probably makes sense to provide ademonstration of the functionality ofthe application.How do we prepare for apenetration test?Should we fix all of thevulnerabilities that are reported?How Much or how little you prepare fora penetration test will again depend onthe goals and scope defined for aspecific test. We typically recommendthat you use the penetration test tovalidate your incident preparednessand therefore the less you prepare thebetter. That said, there are certainlysome tests that call for a greateramount of preparation. For instance ifthe target is a web application, therewill be a need to provision accounts andwww.tbgsecurity.comWe have our website hosted witha third party. Should we test it?Unequivocally Yes! The fact that theweb site is hosted at a third partymeans that there are potential threatsoutside of your control. What if anattacker could access the web servermanagement interface?Withoutquestion you should test your dressed”. For any identified issuethere will be a degree of risk associatedwith the finding. We attempt to applyas much relevant context to eachfinding, and certainly high-risk issuesshould be addressed in an expedientmanner. Sometimes there are a largenumber of findings, particularly whenautomated vulnerability scans are runas part of the penetration test. Onceyou receive all of your reports, a5
mitigation plan should be put in place,and each of the reported vulnerabilitiesshould be addressed as part of the plan.For any vulnerability there are only 5possible ways to address the issue: (1)Apply a vendor patch, (2) reconfigure apiece of software, (3) turn the affectedservice or server off, (4) apply amitigating control (such as a firewall) toreduce risk or (5) simply choose toaccept the risk (which in some casesmight be a perfectly reasonableoption).What are typical costs for apenetration test?The cost for penetration testing variesgreatly. A number of factors are usedto determine pricing including, but notlimited to the scope of the project, thesize of the environment, the quantity ofsystems, and the frequency of testing.It is critical to have a detailed scopingmeeting to produce a very clearunderstanding of the needs, anddevelop a statement of work prior toengaging any penetration test.Ideally a penetration test should beperformed on a xed-fee basis toeliminate any unexpected costs orunplannedexpenditures.Thequoted fee should include all labor andrequired testing tools. Statements ofwork that only provide estimates ofthe work effort should not beentertained.How much time is needed toperform a typical penetrationtest?Adequate time should be reservedin advance of testing for planningactivities. Additional time should beallocated after testing for reportdevelopment and subsequent reviewmeetingsincludingremediation discussions. The entireeffort varies greatly based on the sizeand complexity of the penetration test.The larger or more complex theenvironment is, the more effort isrequired. The duration of the test,however, is very controllable. Theduration of the test should becompressed to ensure a good,representative viewoftheenvironment at a given point in time.Generally speaking, two to four weekswww.tbgsecurity.comis a good estimate for the duration ofthe entire engagement from planningthrough delivery.Can we do our own penetrationtesting?Typically, no, but it’s not inconceivable.Many large organizations like majorbanks and the government agencies dotheir own internal penetration testing(often called Red Team testing or RedTeam / Blue Team testing), but theseorganizationstypicallyhaveinformation security budgets in excessof 1,000,000, and even theseorganizations will often augment theirstaff with 3rd party tests to gain a freshperspective from time to time. Thedecision to insource or outsource thepenetration test function typicallycomes down to if you have qualifiedindividuals on staff to perform the test.Most professional penetration testershave a burden on them to remaincurrent with modern attack techniquesand this typically will requirepenetration testing to be a full time job,so to successfully conduct insourcedpenetration tests it is usually best tohave dedicated staff whose only job isoffensive security.6
My customer wants to see theresults of our penetration test.Should I share the results withoutside parties?The penetration test can be a verypowerful marketing tool. It shows yoursense of due diligence, and can oftenhelp ease concerns your customersmight have about cyber security. In thisday and age there is a heightenedawareness of cyber threats in thepublic. Hardly a day goes by that youdon’t read about some high-profilenews story that involved some sort ofcyber crime. It ultimately is a businessdecision as to whether you disclose theresults of a penetration test, but if youdo decide to provide a copy of thepenetrationtestfindings,thepenetration testing firm should providean executive summary that’s high-levelenough to be presented to interested3rd parties without disclosing anysensitive information.What are the different kinds ofpenetration tests?There are several different flavors ofpenetration tests and each addressdifferent threats.External Network Penetration TestExternal network penetration tests arefocused on the exposed networkperimeter. This is typically the bestdefended as it is exposed to everyoneon the Internet. A weakness here couldexpose the internal network to attack.Perimeter networks must be fullyprotected at all times as they are underconstant pressure from adversaries.The goal of the external networkpenetration test is typically to gain afoothold inside the DMZ or corporatenetwork or to find some method ofexfiltrating data via the exposedservices available from the Internet.Internal Network Penetration TestThe Internal penetration test is focusedon simulating what risk a rogue systemwould pose to the enterprise. Thissimulation would typically employ adropbox (unsanctioned computer withlots of tools on it) but would also beable to simulate the potential exposureto a sophisticated piece of malware oran advanced persistent threat. The goalof the internal penetration test is to findweaknesses at the network or host levelthat will allow the penetration tester toestablish a command and control andwww.tbgsecurity.comto ultimately gain full administrativerights over the networks and systemson the network.Application Penetration TestApplication penetration tests look atthe controls of an application (typicallya web application) that houses sensitiveinformation.When testing anapplication the penetration tester willwant to assess the way theauthentication and authorization ishandled. The penetration tester willalso be focused on how the applicationmaintains session management andtenant segregation. Logic flaws will beidentified and tested along withcommon web based attack vectors suchas injection flaws and buffer overruns.Finally, a review of the web server itselfwill typically be included with specificemphasis on attacks against anycontent management software thatmight be exposed.Testing webapplications will typically require 2 ormore sets of credentials and carefulcoordinationwithapplicationcustodians before and sometimesduring the test.7
Physical Penetration TestDuring a physical penetration test thepenetration tester will attempt to gainunauthorized access to an office spacewith the goal of testing physicalcontrols such as doors, windows,security personnel and physicalnetwork connections. The ultimategoal of physical test is to install somedevice that can then be accessedexternally and be used to initiatenetwork and system attacks against theinternal network; basically, the goal isto place the dropbox that can then beused to conduct the internal networkpenetration test.Social Engineering TestA Social Engineering test is an attemptto attack the weakest link in the theinformation security program: the user.During a social engineering test severalmethods could be deployed to eithergain the trust of a user, or to simplytrick them into doing something theyshould never do. The social engineeringtest is really a test of the corporatesecurity awareness initiative. Somevectors of attack include: phishingemails, spare phishing emails, emailspoofing, phone calls, and USB drops.The goal of a social engineeringcampaign is typically to trick one ormore users into relinquishing theircredentials or to getting them to clickand install malware. NOTE: malware istypically not installed, and instead clickthrough rates are monitored.OUR TEAM OF ETHICAL HACKERSWILL SHOW YOU WHERE YOURVULNERABILITIES ARE WHETHER IT’SAT THE NETWORK OR APPLICATIONLAYER. OUR TEAM HAS YEARS OFEXPERIENCE SUCCESSFULLY HACKINGTHE MOST COMPLEX SYSTEMS ANDNETWORKS.www.tbgsecurity.com8
“Ethical Hacking” and other types of hackers and testing I’ve heard about? The terms Ethical Hacking and Penetration Testing are synonymous. Each refer to a sanctioned assessment of security controls through an active attempt to subvert said controls. Ethical Hackers are
![[Anonymized] Web application penetration testing report](/img/22/anonymized-web-application-penetration-testing-report.jpg)
