PENETRATION TESTING

Topics:
• Various types of penetration testing
• Security audit
• Vulnerability assessment
• Penetration testing roadmap
• Mapping
• Discovery
• Exploitation

2
Penetration Testing
• A penetration test (pen test) is an authorized simulated attack performed on a computer system
to evaluate its security. Penetration testers use the same tools, techniques, and processes as
attackers to find and demonstrate the business impacts of weaknesses in a system. Penetration
tests usually simulate a variety of attacks that could threaten a business. They can examine
whether a system is robust enough to withstand attacks from authenticated and
unauthenticated positions, as well as a range of system roles. With the right scope, a pen test
can dive into any aspect of a system.

3
Benefits of Penetration Testing:
Ideally, software and systems were designed from the start with the aim of eliminating dangerous
security flaws. A pen test provides insight into how well that aim was achieved.
Pen testing can help an organization,
• Find weaknesses in systems
• Determine the robustness of controls
• Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)
• Provide qualitative and quantitative examples of current security posture and budget priorities
for management

4
Types of Penetration Testing:
1. Internal/External Infrastructure Penetration Testing:
An assessment of on premise and cloud network infrastructure, including firewalls, system hosts
and devices such as routers and switches. Can be framed as either an internal penetration test,
focusing on assets inside the corporate network, or an external penetration test, targeting
internet-facing infrastructure. To scope a test, you will need to know the number of internal and
external IPs to be tested, network subnet size and number of sites.

2. Wireless Penetration Testing

A test that specifically targets an organization's WLAN (wireless local area network), as well as
wireless protocols including Bluetooth, ZigBee and Z-Wave. Helps to identify rogue access points,
weaknesses in encryption and WPA vulnerabilities. To scope an engagement, testers will need to
know the number of wireless and guest networks, locations and unique SSIDs to be assessed.

5
3. Web Application Testing
An assessment of websites and custom applications delivered over the web, looking to uncover
coding, design and development flaws that could be maliciously exploited. Before approaching a
testing provider, it’s important to ascertain the number of apps that need testing, as well as the
number of static pages, dynamic pages and input fields to be assessed.

4. Mobile Application Testing

The testing of mobile applications on operating systems including Android and iOS to identify
authentication, authorization, data leakage and session handling issues. To scope a test, providers
will need to know the operating system types and versions they’d like an app to be tested on,
number of API calls and requirements for jailbreaking and root detection.

5. Build and Configuration Review

Review of network builds and configurations to identify misconfigurations across web and app
servers, routers and firewalls. The number of builds, operating systems and application servers to be
reviewed during testing is crucial information to help scope this type of engagement.
6
6. Social Engineering
An assessment of the ability of your systems and personnel to detect and respond to email
phishing attacks. Gain precise insight into the potential risks through customized phishing, spear
phishing and Business Email Compromise (BEC) attacks.

7. Cloud Penetration Testing

Custom cloud security assessments to help your organization overcome shared responsibility
challenges by uncovering and addressing vulnerabilities across cloud and hybrid environments that
could leave critical assets exposed.

8. Agile Penetration Testing

Continuous, developer-centric security assessments designed to identify and remediate security
vulnerabilities throughout the entire development cycle. This agile approach helps to ensure that
every product release, whether it is a minor bug fix or a major feature, has been vetted from a
security perspective.

7
Different Approaches of Penetration Testing
The amount of information shared prior to an engagement can have a huge influence on its
outcomes.
The different approaches to penetration testing includes:
• White Box
• Black Box
• Gray Box

1. White box penetration testing:

White box penetration testing, sometimes referred to as crystal or oblique box pen testing,
involves sharing full network and system information with the tester, including network maps and
credentials. This helps to save time and reduce the overall cost of an engagement. A white box
penetration test is useful for simulating a targeted attack on a specific system utilizing as many
attack vectors as possible.
8
2. Black box penetration testing
In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance
follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This
scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would
target and compromise an organization. However, this typically makes it the costliest option too.

3. Grey box penetration testing:

In a grey box penetration test, also known as a translucent box test, only limited information is shared with the
tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of
access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance
between depth and efficiency and can be used to simulate either an insider threat or an attack that has
breached the network perimeter.

• In most real-world attacks, a persistent adversary will conduct reconnaissance on the target environment,
giving them similar knowledge to an insider. Grey box testing is often favored by customers as the best balance
between efficiency and authenticity, stripping out the potentially time-consuming reconnaissance phase.
9
Penetration Testing Process
The Five Phases of Penetration Testing
1. Reconnaissance
2. Scanning and Discovery
3. Vulnerability assessment
4. Exploitation
5. Reporting

10
1. Reconnaissance:
• In this phase, the tester gathers as much information about the target system as they can,
including information about the network topology, operating systems and applications, user
accounts, and other relevant information.
• The goal is to gather as much data as possible so that the tester can plan an effective attack
strategy.
• Reconnaissance can be categorized as either active or passive depending on what methods are
used to gather information).
• Passive reconnaissance pulls information from resources that are already publicly available,
whereas active reconnaissance involves directly interacting with the target system to gain
information.
• Typically, both methods are necessary to form a full picture of the target’s vulnerabilities.

11
2. Scanning and discovery:
• Once all the relevant data has been gathered in the reconnaissance phase, it’s time to move on
to scanning.
• In this penetration testing phase, the tester uses various tools to identify open ports and check
network traffic on the target system.
• Because open ports are potential entry points for attackers, penetration testers need to identify
as many open ports as possible for the next penetration testing phase.
• This step can also be performed outside of penetration testing; in those cases, it’s referred to
simply as vulnerability scanning and is usually an automated process.
• However, there are drawbacks to only performing a scan without a full penetration test—
namely, scanning can identify a potential threat but cannot determine the level at which hackers
can gain access.
• So, while scanning is essential for cybersecurity, it also needs human intervention in the form of
penetration testers to reach its full potential.

12
3. Vulnerability Assessment
• The third penetration testing phase is vulnerability assessment, in which the tester uses all the
data gathered in the reconnaissance and scanning phases to identify potential vulnerabilities and
determine whether they can be exploited.
• Much like scanning, vulnerability assessment is a useful tool on its own but is more powerful
when combined with the other penetration testing phases.
• When determining the risk of discovered vulnerabilities during this stage, penetration testers
have many resources to turn to.
• One is the National Vulnerability Database (NVD), a repository of vulnerability management data
created and maintained by the U.S. government that analyzes the software vulnerabilities
published in the Common Vulnerabilities and Exposures (CVE) database.
• The NVD rates the severity of known vulnerabilities using the Common Vulnerability Scoring
System (CVSS)

13
4. Exploitation:
• Once vulnerabilities have been identified, it’s time for exploitation.
• In this penetration testing phase, the penetration tester attempts to access the target system and exploit
the identified vulnerabilities, typically by using a tool like Metasploit to simulate real-world attacks.
• This is perhaps the most delicate penetration testing phase because accessing the target system requires
bypassing security restrictions.
• Though system crashes during penetration testing are rare, testers must still be cautious to ensure that the
system isn’t compromised or damaged.

5. Reporting:
• Once the exploitation phase is complete, the tester prepares a report documenting the penetration test’s
findings.
• The report generated in this final penetration testing phase can be used to fix any vulnerabilities found in
the system and improve the organization’s security posture.
• Building a penetration testing report requires clearly documenting vulnerabilities and putting them into
context so that the organization can remediate its security risks. 14
Security Audit
A security audit, also known as a cybersecurity audit, is a comprehensive assessment of your organization’s
information systems; typically, this assessment measures your information system’s security against
an audit checklist of industry best practices, externally established standards, and/or federal regulations.

A comprehensive security audit will assess an organization’s security controls relating to the following:
• Physical components of your information system and the environment in which the information system is
housed.
• Applications and software, including security patches your systems administrators, have already
implemented.
• Network vulnerabilities, including public and private access and firewall configurations.
• The human dimension, including how employees collect, share, and store highly sensitive information.
• The organization’s overall security strategy, including security policies, organization charts, and risk
assessments.

15
Security Audit Work
• A security audit works by testing whether your organization’s information systems are adhering
to a set of internal or external criteria regulating data security, network security, and
infrastructure security.
• Internal criteria include your company’s IT policies, procedures, and security controls.
• External criteria include federal regulations like the Health Insurance Portability and
Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX), and standards set by the International
Organization for Standardization (ISO) or the National Institute for Standards in Technology
(NIST).
• Using a blend of internal and external criteria typically yields the best benefits for organizations
performing these types of audits.
• A security audit compares your organization’s actual IT practices with the standards relevant to
your enterprise and will identify areas for remediation and growth.
• Specifically, auditors will review security controls for adequacy, validate compliance with security
policies, identify breaches, and ultimately make recommendations to address their findings.
16
• The audit will result in a report with observations, recommended changes, and other details
about your security program. The audit report may describe specific security vulnerabilities or
reveal previously undiscovered security breaches.
• These findings can then be used to inform your cybersecurity risk management approach. Most
of the time, auditors will rank their findings in order of priority — it’s up to your organization’s
stakeholders to determine if those priorities align with the business’s strategies and objectives.

17
Importance and Purpose of Security Audit
• A security audit will provide a roadmap of your organization’s main information security
weaknesses and identify where it is meeting the criteria the organization has set out to follow
and where it isn’t.
• Security audits are crucial to developing risk assessment plans and mitigation strategies for
organizations dealing with sensitive and confidential data.
• Successful security audits should give your team a snapshot of your organization’s security
posture at that point in time and provide enough detail to give your team a place to start with
remediation or improvement activities.
• Some security-centric audits may also serve as formal compliance audits, completed by a third-
party audit team for the purpose of certifying against ISO 27001 or receiving a SOC 2 attestation,
for example.

18
• Security audits also provide your organization with a different view of IT security practices and
strategy, whether they are conducted by an internal audit function or through an external audit.
• Having your organization’s security policies scrutinized can provide valuable insights into how to
implement better controls or streamline existing processes.
• With cyber-attacks coming from every angle and some threats originating internally, having a
faceted view of cybersecurity amplifies an organization’s capability to respond to security
threats.
• Security audits are an important tool and method for operating an up-to-date and effective
information security program.

19
Vulnerability Assessment:
• A vulnerability assessment is a systematic review of security weaknesses in an
information system. It evaluates if the system is susceptible to any known vulnerabilities,
assigns severity levels to those vulnerabilities, and recommends remediation or
mitigation, if and whenever needed.

Examples of threats that can be prevented by vulnerability assessment include:

• SQL injection, XSS and other code injection attacks.
• Escalation of privileges due to faulty authentication mechanisms.
• Insecure defaults – software that ships with insecure settings, such as a guessable admin
passwords.

20
There are several types of vulnerability assessments.

These include:
• Host assessment – The assessment of critical servers, which may be vulnerable to attacks if not
adequately tested or not generated from a tested machine image.

• Network and wireless assessment – The assessment of policies and practices to prevent
unauthorized access to private or public networks and network-accessible resources.

• Database assessment – The assessment of databases or big data systems for vulnerabilities and
misconfigurations, identifying rogue databases or insecure dev/test environments, and
classifying sensitive data across an organization’s infrastructure.

• Application scans – The identifying of security vulnerabilities in web applications and their
source code by automated scans on the front-end or static/dynamic analysis of source code.

21
Security scanning process in Vulnerability assessment
The security scanning process consists of four steps: testing, analysis, assessment and remediation.
1. Vulnerability identification (testing)
• The objective of this step is to draft a comprehensive list of an application’s vulnerabilities.
Security analysts test the security health of applications, servers or other systems by scanning
them with automated tools, or testing and evaluating them manually. Analysts also rely on
vulnerability databases, vendor vulnerability announcements, asset management systems
and threat intelligence feeds to identify security weaknesses.

2. Vulnerability analysis
• The objective of this step is to identify the source and root cause of the vulnerabilities identified
in step one.
• It involves the identification of system components responsible for each vulnerability, and the
root cause of the vulnerability. For example, the root cause of a vulnerability could be an old
version of an open source library. This provides a clear path for remediation – upgrading the
library.
22
3. Risk assessment
• The objective of this step is the prioritizing of vulnerabilities. It involves security analysts assigning a rank or severity
score to each vulnerability, based on such factors as:
• Which systems are affected.
• What data is at risk.
• Which business functions are at risk.
• Ease of attack or compromise.
• Severity of an attack.
• Potential damage as a result of the vulnerability.

4. Remediation
• The objective of this step is the closing of security gaps. It’s typically a joint effort by security staff, development and
operations teams, who determine the most effective path for remediation or mitigation of each vulnerability.
• Specific remediation steps might include:
• Introduction of new security procedures, measures or tools.
• The updating of operational or configuration changes.
23
• Development and implementation of a vulnerability patch.
Vulnerability Assessment Vs. Penetration Testing Comparison
Vulnerability Scan Penetration Scan
Performed by Usually done by in-house staff using authenticated Usually outsourced to independent penetration
credentials as it does not require a high skill level testing service providers as it requires a great
deal of skill

Frequency It is done at least quarterly, especially if new It is done once or twice a year or anytime that
equipment is loaded or significant changes in the there are significant changes to the internet-
network. facing equipment.

Focus It lists out the known software weaknesses that It detects unknown and exploitable
hackers can exploit. weaknesses in a normal business process.

Reports It provides a comprehensive baseline of the It concisely identifies the data that was
weaknesses present in a system and what changed compromised.
since the last report

Value It is used to detect when equipment can be It is used to identify and reduce weaknesses in
exploited a system
24
Discovery
• Once the scope has been established, pen testing teams can get to work.
• In this discovery phase, teams perform different types of reconnaissance on their target. On the
technical side, information like IP addresses can help determine information about firewalls and
other connections.
• On the personal side, data as simple as names, job titles, and email addresses can hold great
value.
• Attackers can use this data to send phishing emails or figure out who may have privileged
credentials, with which they can get full access to the environment.
• Additionally, before exploiting a system, pen testing teams must look for weaknesses within the
environment.
• Often referred to as footprinting, this phase of discovery involves gathering as much information
about the target systems, networks, and their owners as possible without attempting to
penetrate them.
• An automated scan is one technique that can be used to search for vulnerabilities that can be
used as a doorway.
25
• The discovery phase consists of scanning and asset analysis.
• Typically, the tester will use a network scanning tool such as nmap to identify which assets are
available and to gather some basic information about them such as operating system, open ports
and running services.
• The penetration tester may or may not already have a list of targets by IP. In a white box test,
targets and some asset/network information are provided and available to the tester.
• A black box test, on the other hand, starts with little to no information about the targets or
network, with the tester usually only having a domain or organization name.
• In a black box test, however, it’s still good practice to provide the tester with an asset inventory
and scope guidelines for the purpose of confirming ownership before they take any actions.

26
Exploitation
• Exploitation refers to the process of using a vulnerability to gain unauthorized access to a system
or extract sensitive information.
• The goal of exploitation in penetration testing is not to cause harm to the target system but to
demonstrate the potential consequences of a successful attack and to provide recommendations
to mitigate the risk.
• This can be done by exploiting weak passwords, unpatched operating systems, or taking
advantage of misconfigurations and Injection vulnerabilities.
• This may use various techniques, such as brute force attacks, SQL injection, session hijacking,
cross-site scripting, buffer overflows, code injection

27
Types of Exploitation Techniques:
• Remote Exploitation
In this technique, the tester attempts to exploit vulnerabilities in the target system from a remote location,
such as over the internet. Remote exploitation can be particularly challenging, as it requires the tester to
bypass any firewalls, intrusion detection systems, and other security controls in place.

• Local Exploitation
Local exploitation involves exploiting vulnerabilities in a system that the tester has physical access to. This can
involve using USB drives or other physical devices to gain access to the target system.

• Client-side Exploitation
Client-side exploitation involves exploiting vulnerabilities in client applications, such as web browsers or email
clients. These vulnerabilities can be used to execute malicious code on the target system.

• Social Engineering
Social engineering involves using psychological manipulation to trick individuals into divulging sensitive
information or performing actions that could compromise the security of the target system. Social
engineering techniques can include phishing, pretexting, and baiting.

28
Reference
1. https://www.eccouncil.org/
2. https://www.imperva.com/
3. https://www.synopsys.com/
4. https://www.redscan.com/

29