PEN TESTING:

PRETTY MUCH EVERYTHING YOU NEED TO KNOW

The ultimate pen testing breakdown, and its role in your security posture.

For most businesses, it is not a matter of if you will have a cyber attack, but when. 

When a breach does occur, the results can be costly.  The average cost of a single cyber security breach can be enormous.  A study from the Ponemon Institute in 2018 tracked the hard dollars spent to recover from breaches over the previous two years.  The results showed the global average cost of a data breach at $3.86 million. That’s an increase of 6.4% from 2017.  And US companies are most at risk.

Breaches for the largest companies were studied separately.  Costs to recover from so-called “mega breaches” were projected to cost companies between $40 million and $350 million.

Some breaches result in significantly more costs, including lawsuits, penalties, and fines.  That doesn’t include the hidden costs, such as loss of trust and damage to your brand or the loss of customers.  In many cases, proprietary data and sensitive customer data is exposed and potentially lost forever.

Managed SIEM services and activities such as tabletop exercises can greatly bolster your security posture in the event that an incident occurs, but pen testing can help you better discover your security gaps before they're taken advantage of. 

What is pen testing?

A penetration test is sometimes called a ‘pen test’ or ‘white hat hacking.’  It is comprised of a series of simulated cyber attacks on your computer systems and networks to discover and intentionally exploit vulnerabilities.  While the main objective of pen testing is to identify weaknesses in your organization’s security, pen testing can also be used to test your security policies, employee compliance with policies, detection and response to security incidents, and compliance with laws, rules, and regulations.

Why is it important to pen test?

Attackers are looking to exploit flaws in your systems.  Penetration testing puts your system through the same stress as cyber criminals would in order to discover weaknesses before the bad guys can.  A cyber security professional running a controlled test can identify risks and help with remediation to prevent future attacks:

  • These simulated attacks reveal where you need to invest in security.  By exposing the greatest weaknesses, you can maximize where you spend your security dollars.
  • Pen tests provide an outside perspective on your security.  When cyber security is done in-house, even with a team of experienced IT professionals, you can be left with blind spots. An outside perspective is like getting a second opinion from pros who know the latest techniques.

While businesses of all sizes are targets, small to medium-sized businesses (SMBs) are most at risk.  Nearly 50 percent of small businesses have already experienced an attack, according to the National Cyber Security Alliance:

Here’s another reason to conduct pen testing: when breaches do occur, they often go unnoticed for significant periods of time.  The average breach can take as many as 197 days to be discovered.  Once discovered, it can take more than two months, on average, to contain.  Obviously, the sooner a breach can be discovered, the less damage that is done. Companies that uncovered a breach and started recovery practices within 30 days saved on average more than a million dollars.

No matter how well you implement your security procedures, you may still be at risk.  Outdated operating systems, missing security patches, vulnerabilities from third-party apps, new IoT (Internet of Things) devices, and BYOD (Bring Your Own Devices) policies all create additional risks.  Studies show that only 47% of companies patch vulnerabilities when they become known.  Such an exploit allowed attackers to compromise more than a billion Yahoo accounts.

Read about the 8 reasons CIOs value pen testing.

pen-test-hole-in-chain-fence

Can pen testing help with compliance?

Depending on your industry, you may have strict compliance regulations.  Even if your industry does not have regulations, you may do business with other companies that do.  In each case, you are responsible for meeting strict security protocols. 

Just about anyone that does business with the government is subject to National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Federal Information Security Management Act (FISMA), or Defense Federal Acquisition Regulation Supplement (DFARS) rules.  You may be required to follow Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA) rules. If you store or transmit data from cardholders, such as credit cards, Payment Card Industry Data Security Standards (PCI-DSS) rules apply.

Penetration testing can reveal vulnerabilities that violate the provisions of these rules and regulations.  It can also provide documentation of security procedures and protocols that are required.  Several of these requirements involve not just passive and active monitoring of security threats but documentation of steps to increase organizational security posture.  Pen testing may itself be a requirement.

Laws, rules, and regulations are evolving as well.  If you do business anywhere in the European Union (EU), there are new data and privacy regulations that are now in effect under the EU’s General Data Protection Regulation (GDPR).  Failing to follow these regulations can bring fines:

  • Up to the greater of €10 million ($11.2 million) or 2% of global annual revenue for the infringement of data controller or processor obligations
  • Up to the greater of €20 million ($22.5 million) or 4% of global annual revenue for the infringement of the key provisions of the GDPR, including but not limited to data processing or transfer non-compliance, and infringement of rights

California’s newly passed California Consumer Privacy Act (CCPA) goes into effect in 2020.  Canada’s Personal Information Protection and Electronics Document Act (PIPEDA) dictates how private businesses must handle personal data.

Even if you do not do business in the EU, California, or Canada, you may still be subject to some provisions depending on your online footprint.

HOW OFTEN SHOULD YOU PEN TEST?

At a minimum, full-scale penetration testing should be conducted once a year to ensure consistent network security. Regular testing can make sure you maintain security while automated and ongoing testing can keep systems safe and provide alerts when breach attempts occur.

In addition, you should conduct pen tests whenever you do the following:

 

Add new network infrastructure or applications
Make significant modifications
Connect or establish new remote locations
Apply security policies
Modify user policies

 

How comprehensive your penetration testing is and how often you test will be unique to your organization.  Some businesses are required by law to perform security audits and provide proof at regular intervals.  Large businesses may have more data at risk.  Online companies may have more entry points and attack vectors.  Cloud infrastructure and open architecture may indicate more frequent testing.

Pen Testing Tools 

Tools used for penetration testing will simulate real attacks and help to identify vulnerabilities and then exploit them.  Pen testers will scan for vulnerable code in applications that may provide opportunity for malicious action.  (Read about the difference between pen testing and vulnerability assessments.) The tests will prove encryption techniques and look for hard-coded values that allow for access or that can be exposed.  Automated tools will provide thorough testing of basic security controls. 

Many of the pen testing tools that are used are modified, open-source software, enabling pen testers to work with the same tools that cyber criminals use.

There are several hundred open-source penetration testing tools available.  The list below represents a sampling of some of the most popular pen testing tools.  There are literally hundreds of variants. Specific environments may call for their own pen testing tools, such as mobile apps.

Here is a brief list of some more commonly used tools:

Metasploit can be used on web apps, servers, and networks.  It also has built-in plugins for some other vulnerability scanners, including Nessus, Nexpose, OpenVAS, and WMAP.

ZAP (Zed Attack Proxy) is an open-source, multi-platform tool developed by the Open Web Application Security Project (OWASP).

Wfuzz is used for brute-force web apps.  Developed in Python, Wfuzz can expose LDAP, SQL, and XSS injection vulnerabilities.

Wapiti performs black box testing using little or no information and provides support for both GET and POST HTTP attack methods.

Nmap is an open-source network mapper. Nmap identifies open ports on target hosts and can map network inventory and assets while exposing network vulnerabilities.

w3af allows for security testing frameworks developed using Python.  This tool can detect more than 200 types of security issues in web apps.

sqlmap is an automated solution for detecting SQL injection vulnerabilities, including Boolean-based, error-based, out-of-band, stacked queries, Time-based blind, and UNION query.

Burp Suite is a graphical testing tool for Web apps.  Its proxy function allows manual testing by intercepting all requests and responses between apps and browsers.

SonarQube is open-source software used to measure source code quality. Written in Java, it can also highlight vulnerabilities for cross-site scripting, DoS (Denial of Service) attacks, and memory corruption.

Kali Linux supports only Linux machines and can perform more than 600 penetration tests, computer forensics, and reverse engineering.

nogotofail is a network traffic security testing tool developed by Google.  This tool detects TLS/SSL vulnerabilities and configuration issues, including MITM attacks, SSL certificate verification issues, SSL injection, and TLS injection.

Cain & Abel is a password recovery tool for Microsoft Windows that can crack many encrypted passwords and network keys. This tool can surface security concerns about dictionary attacks, brute force, and cryptanalysis attacks.

John the Ripper (JtR) identifies weak password vulnerabilities on networks.  This tool cracks even complex passwords and surfaces brute-force and RainbowCrack attack vulnerabilities.  It works on UNIX, Windows, and DOS.

Iron Wasp can detect false positives and negatives.  This open-source tool can detect more than 25 web application vulnerabilities, including broken authentication, cross-site scripting, CSRF, hidden parameters, and privilege escalation.

Grabber is used to scan small web applications such as small-scale websites or forums.  Written in Python, this tool targets vulnerabilities such as back files, file inclusion, AJAX verification, and SQL injection.

Arachni is another open-source tool for detecting vulnerabilities such as invalidated redirects, local and remote file inclusion, SQL and XSS injections.

Resources

NEW-Pen-Test-Vendor-Guide VulnNotifications OD-Pen-Test-Webinar-8-28-19
How to Select the Right Pen Test Vendor for Your Business Penetration Testing Sample Reports Penetration Testing Webinar

 

A Step-by-Step Pen Test PROCESS

Penetration testing is typically broken down into stages.  These phases are critical for both organizations and pen test professionals in order to understand and manage the process.

Read more about the seven steps of pen testing

Pre-Engagement Interactions:  Planning & Defining Scope

Defining the scope and goals of the pen test, including systems to be addressed and which testing methodologies, will be implemented in the first phase.  This will also include creating a roadmap of networks, systems, and potential targets for testing.

It’s important for both parties to outline the logistics of the tests and have a clear understanding of expectations.  This will include goals and objectives, as well as the legal implications of the testing process.  Assessment options will be presented for selection: it’s important to make sure these options align with organizational goals.

Additional issues to consider may be any legal requirements, compliance regulations, software agreements, and third-party agreements when outlining your penetration testing.

Reconnaissance or Open Source Intelligence (OSINT) Gathering

This step includes an examination of publicly available information and extracting relevant information that attackers might use to target an organization, including the identification of items such as the following:

  • IP addresses, subdomains, ports, and third-party connections
  • Technologies, app platforms, and infrastructure
  • Sensitive information such as API keys, AWS S3 buckets, and leaked credentials
  • Log files, backup files, client-side code, config files, database files, and JavaScript libraries

All critical information across networks, systems, routers, and access points should be identified.  Pen testers may also need to identify additional information on their own to explore vulnerabilities and entry points.

Penetration testing can get very detailed.  Reconnaissance and open-source intelligence gathering efforts need to look at targets through the eyes of cyber criminals, which means using some of the same techniques such as public records, financial records, and social engineering, including:

  • Tax Records
  • Quarterly and annual reports
  • Publicly known email addresses, usernames, and social networks
  • Port scanning, reverse DNS, packet sniffing, and ping sweeps
  • Social engineering, blogs, forums, and websites
  • Documentation

A lot of public data (and some not-so-public data) is accessible concerning your organization.  Most of the information is spread out across different parts of the internet and will take time to find and correlate.  Penetration testing experts should use intel and data collection practices as detailed in the OSINT Framework. Read more about Open Source Intelligence.

Threat Modeling & Vulnerability Identification

This phase of pen testing identifies specific targets within your networks and systems, and maps attack vectors.  Testing will target and categorize high-value business assets such as intellectual property, customer data, and employee data.

Testing will also identify and categorize threat actors such as employees, management, vendors, and third parties.  Similarly, attack surfaces such as ports, web applications, network traffic, and network protocols will be examined.

Static scanning analysis will examine the code that drives an application and stress-test it to see how it reacts to various penetration tests while running.  Dynamic analysis provides a real-time view of performance and potential vulnerabilities. 

This vulnerability scanning will help validate whether vulnerabilities are exploitable. Read more about vulnerability scanning best practices.

Exploitation of Vulnerabilities

Armed with a roadmap of potential breach point and vulnerabilities, pen testers will start to hone in on and attempt to exploit vulnerabilities that have been found.

Targeted testing will attempt to exploit remote code execution and information disclosure vulnerabilities.  Web application tests try to identify injection attacks that generate provocative responses.  Once identified, expert testers will interrogate these issues further to determine the depth of risk associated with them.  Attacks might include stealing credentials and data, and escalating privileges to see what kind of damage can be done once cyber criminals gain access to your network.

Depending upon the scope of your pen test agreement, testers may focus on the most likely tactics that cyber criminals deploy:

  • Network attacks
  • Memory-based attacks
  • Router and Wi-Fi attacks
  • Web application attacks
  • Zero-Day attacks
  • Physical attacks
  • Social Engineering attacks

Other testing will probe for the ability of attackers to maintain system access. Once a breach is discovered, mitigation efforts must ensure that cyber criminals do not have the ability to create a persistent presence within your systems.  You do not want to patch a vulnerability but then allow attackers to maintain a backdoor into your system or have prolonged access to launch advanced persistent threats (APTs).

Post-Exploitation, Risk Analysis & Recommendations

After the exploitation phase has been completed, the goal is to document vulnerabilities.  The results of the pen tests are compiled into detailed reports showing uncovered vulnerabilities, data exposure, and what other damage can be done.  Reports will be prioritized to show the greatest vulnerabilities and recommend additional security procedures to implement in order to minimize the risks.

Reporting

The reporting phase may be the most critical part of your penetration test.  You will receive a written report detailing your threat risks and showing you what you need to do to improve your security.  The pen test report will show you exactly which attack surfaces were discovered, tactics attackers might use to gain access, and the damage that can be done.  It will also list tactics that you can deploy to resolve these vulnerabilities and fix security holes.

Your report will prioritize and rank vulnerabilities.  A typical report might categorize Critical, High, Medium, and Low-Level threats, and you will also be presented with a roadmap of mitigation recommendations.

After the penetration testing process is complete, your pen tester will clean up your environment, including removing software, scripts, files, and executables that were left behind during testing.  They will reconfigure settings back to their original parameters (prior to the penetration tests), eliminate rootkits installed during the testing, and remove user accounts and elevation levels created during testing.

Learn how to read a vulnerability assessment report

Ways to Conduct a Pen Test

Which type of testing you do and what you do test will be defined as part of your planning and pre-engagement interactions.  Different approaches can be used to provide different types of information.

 The most popular types of testing include the following:

Black Box
Testing

Double Blind Pen Testing

White Box
Testing

Targeted Pen
Testing

No System Is
Bullet Proof

A blind, or black box, penetration test strategy simulates a cyber attack under specific conditions.  Testers may be provided with limited data about the target, such as only a company name or website address, prior to testing.

Also known as covert testing. Like the blind pen test, limited information is given to the team doing the security assessment and risk analysis.  At the same time, the tests are done in secret with only a few key company personnel apprised of what’s happening.  This can be useful for testing a company’s internal monitoring and alerting systems.  It can also be used to judge identification, response, and remediation efforts after breach detection.

In White Box testing, the team doing the testing has been provided with more information, including details about IP addresses, network schematics, infrastructure, protocols, and source code.  This information is used to do a regimented, item-by-item threat assessment.

Targeted penetration testing is focused on specific applications or critical business systems.  While it does not provide a review of an organization’s entire security posture, this testing does examine key operations of concern.  Because it is narrower in scope, there is reduced cost and minimal disruptions to operations, and it can be completed more quickly.  Some businesses do targeted penetration testing of mission-critical operations prior to doing a more comprehensive test.

Even if you have invested in cyber defenses, recent experiences indicate that no system is 100% bullet-proof.  Sophisticated attackers are constantly learning new tricks and techniques to breach your systems. You'll want dedicated pen test vendors, not a crowdsourced solution.

Attackers are no longer loners sitting in dark basements.  With the amount of money at stake and the damage that can be done, cyber attacks are now the domain of organized crime and hostile nation-states.

If you have not been hit by a data breach or hacking attempt, congratulations!  You’re one of the lucky ones: one in four companies will experience a data breach in the next two years. 

Pen Testing for Different Environments

Your specific environment will dictate which types of pen tests are needed. 

NETWORK TESTING

Accessing your network is like getting the keys to the kingdom. Once attackers get inside your systems, the potential for damage is great.

External Pen Testing

In an external pen test, testers will assess internet-facing assets.  Tests will focus on various attempts to gain entry to company networks by leveraging vulnerabilities; VPN, email, website, and file/document sharing may be tested for exploits.

Reconnaissance and intelligence gathering scans for open ports and other external pathways into organization networks.  Successful breaching of these external entry points will provide the basis for internal testing.

Internal Pen Testing

This assessment addresses internal systems, and often follows the external testing.  Internal penetration testing focuses on places an intruder can enter once they access a network.  In a weak security environment, cyber criminals may have access to everything.  Internal security controls typically partition systems to avoid a total takeover.  When these roadblocks are encountered, internal testing will attempt to find detours to get around them.  Testers will prod and probe various systems within the network, attempting to continually elevate privileges and access.

Read more about why both internal and external pen testing are important.

APPLICATIONS TESTING

Applications are nearly omnipresent in today’s business environment. With cloud-based apps and constant internet connections, there are increased security threats that didn’t exist even a few years ago.

Web Apps & Services

Web apps make up one of the most significant vulnerabilities that organizations have today.  As more workers are using mobile devices and mixing company and personal devices, the threat increases. 

One recent study found malware, crypto mining software, and malicious code in more than half of the apps they tested that made it into the Android and iOS app store.  Spoofed apps and gaming apps have been found to be loaded with malware.  Half a million Android users installed an app that appeared to crash when executed.  Instead, it launched malware and deleted its icon tricking users into thinking it was no longer on their smartphone.

The number of mobile devices has now surpassed the number of desktop devices.  Nearly every single one is running some combination of apps.  More than half of 15,000 tested mobile apps violated the OWASP list of Top 10 standards for data storage security. 

Read more about the necessary application assessment components. or mobile app foundational facts.

Thick & Thin Clients

When it comes to client/server architecture, you need to test both the client and the server that is handling the workload.  Thin-client applications are typically small apps that provide a connection to network computing power.  The thin client provides the connection, but the heavy lifting is done on the server.  Thick clients do not need continuous server access: the application does the processing locally and connects mainly for archival, storage, or updates.

Thick clients are also known as heavy, rich, or fat clients.  Dynamic penetration testing can follow the data flow from the client to the server.  It will typically include input validation to test for items such as SQL or command injections, malicious file uploads, secure traffic and encryption, and session management.  Static testing may include reverse engineering, interception proxies, traffic analysis, and executable checking tools.

Thin client penetration testing focuses more on attempts to bypass authentication between the thin client and the server.  While there is little to no data on the client side, the thin client provides an entry point for servers and may provide access to network resources.

Secure Code Review

This analysis involves a manual review of software source code.  The source code will be audited to make sure the proper security controls are in place.  It will test logic, functionality, and organization, and look for potential vulnerabilities.  It will also examine applications of ciphers for sensitive data and what happens during transmission and storage.

OTHER ENVIRONMENTS

Your devices are only as secure as the network through which the data passes.

Wi-Fi Networks

An often-overlooked security threat is when company devices or data is used on public Wi-Fi networks.  Poor end-to-end encryption can put your data at risk for man-in-the-middle attacks.

IoT (Internet of Things)

With more devices using IoT technology, these additional connections present other potential entry points.  IoT devices are predicted to grow from their current number of 11 billion worldwide in 2018 to 20 billion by 2020.  That would mean more IoT devices in service than there are people in the world.  And you can’t afford to leave your security in the hands of IoT manufacturers.

ICS/SCADA

ICS (Industrials Control Systems) and SCADA (Supervisory Control and Data Acquisition) networks are also common subjects of attention for cyber criminals.  They may be targeted to steal proprietary information about industrial processes or to provide another access path to company networks.

Routers

Older equipment that may not have been updated is vulnerable to security threats.  Russian state-sponsored attackers showed exactly how easy it can be to backdoor into networks when they targeted millions of unpatched and legacy routers.  They managed to disrupt business, government, critical infrastructure producers, and ISPs.

Security audits, combined with penetration testing, can make sure you are up-to-date on software and firmware upgrades, and detail potential threats.

The RedLegg Pen Test Methodology

The RedLegg methodology for conducting penetration testing provides high-quality results and detailed corrective actions that can help lower the overall risk of the tested environment. Each assessment is a specialized event unique to each client and application.

During formal scoping, clients can request internal and external testing options, network, web, and password testing tactics, visibility (blind) options, as well as denial of service (DoS) testing. The testing phases are summarized below:

Phase 1 – Reconnaissance

During this phase, RedLegg generates threat intelligence, researches OSINT available about the organization, and enumerates the network to discover ports, services, and potential attack vectors for use during testing. 

Phase 2 – Validation

RedLegg validates the reconnaissance findings to determine whether a vulnerability exists and is actionable.  Any vulnerability that can be validated as 100% false (false positive) is removed from the test during this phase.

Phase 3 – Threat Model

RedLegg creates a Threat Model of the organization based on the client vertical and any discovered threat intelligence affecting the organization.

Phase 4 – Attack Plan

RedLegg creates an Attack Plan based on the generated threat model for the organization, and the information discovered during Phase 1 and validated during Phase 2.  This plan focuses, as a priority, on in-scope attack techniques that are likely to be leveraged against the organization.

Phase 5 – Exploitation

RedLegg attempts to gain a foothold on an exploitable system based on the Attack Plan.  RedLegg will leverage any footholds to achieve the mutually understood client testing objective. 

Phase 6 – Deliverable Creation

Based on client request, RedLegg supplies up to three deliverables detailing the results of the assessment: an executive Penetration Testing Report, a spreadsheet containing the discovered vulnerabilities, and a package containing the raw data from the penetration test. 

Phase 7 – Debriefing

Once the deliverables have been received, RedLegg schedules a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg works with the client to determine any necessary changes to the report.

Phase 8 – Retesting (Optional)

Within 90 days of the findings meeting, RedLegg can perform two types of retesting, by client request.  The first type tests any discovered and reported vulnerabilities that the client says are now remediated; any tested items found to be remediated are updated with that information in the report.  The second type is a full retest of the network scope to determine whether any fixes have created new vulnerabilities.

 

Review RedLegg's Sample Reports

 

Additional Services

RedLegg also offers vulnerability scanning (discovery only), vulnerability assessment (reconnaissance and validation only), full application assessment, secure code review, and social engineering testing services. Learn more about RedLegg's pen testing methodology and pen testing services.

redlegg-is-here-to-helpRedLegg Can Help

Trust RedLegg to help protect your organization with penetration testing. 

  • Gain insight into the risks you face by identifying vulnerabilities and detecting potential breach points.
  • Prioritize the biggest threats and strategically plan your road map to safeguard your organization.
  • Reduce the impact and likelihood of a successful breach and data exfiltration.
  • Senior level assessors enhance your defense strategy with experience in your sector and vertical.
  • Show stakeholders and customers your commitment to secure and protect their most valuable assets.

RedLegg’s innovative cyber security solutions deliver real results.  More importantly, they provide peace of mind.  From consulting to advising, proactive monitoring and battle testing, we can guide you through the process.  The cost of pen testing can vary greatly depending on your unique situation and how you need to approach security.  

PROTECT YOUR NETWORK WITH PENETRATION TESTING

Learn what testing will better protect your company from a data breach or security incident.

REACH OUT TO AN EXPERT