Penetration testing (ethical hacking) is the deliberate launching of simulated cyber-attacks in order to spot vulnerabilities, which can be exploited, in systems, websites, networks, and applications. The main objective of penetration testing is to identify security inadequacies/flaws and weaknesses. It also tests the security policy’s robustness, the (degree of) regulatory compliance, the security awareness of the employees, and the general preparedness and capacity of the organization to identify and respond to security threats or incidents.
Penetration tests must expose all kinds of vulnerabilities that would let attackers access the system, and this can enable the company to tighten its security policies. In these tests, details about possible targets are collected, potential entry points are spotted, and attempts are made to break in.
Where web application security is concerned, penetration testing is used to improve a web application firewall (WAF).
In pen testing, there can be the attempted breaching of application systems, for example, application protocol interfaces (APIs), frontend servers, backend servers to uncover vulnerabilities that are vulnerable to code injection attacks. Penetration test can help fine-tune your WAF security policies and patch detected vulnerabilities.
Pen tests can be performed either manually or it can be automated using security tools.
Automated pen testing is usually meant for:
- Cost-conscious CISOs with limited security staff
- DevOps teams that need application security to bring down false positives
- Application security teams who have to provide layered security without hampering development timelines.
- Red teams that would benefit from a detailed list of vulnerabilities in the applications
Penetration testing stages are five:
- Planning and reconnaissance
In this first stage, the scope and goals of the test are defined, including the systems that are to be addressed and the methods of testing that are to be used. Intelligence gathering happens, such as network names, domain names, mail servers, etc., to understand how a target works and what its vulnerabilities are.
In this step, one gets to understand how the target application would respond to various intrusion attempts. This is done using Static analysis and Dynamic Analysis.
In static analysis, an application’s code is inspected to estimate the way it behaves while running. The tool can scan the entire code in a single pass. Dynamic analysis inspects the application’s code in a running state. As it provides a real time view into an application’s performance, it is deemed to be more practical.
- Gaining Access
In this stage, the target’s vulnerabilities are uncovered using web application attacks, such as SQL injection, cross-site scripting, and backdoors. Then, the testers exploit these vulnerabilities by stealing data, escalating privileges, intercepting traffic, etc., to further understand the damage they can cause.
- Maintaining access
Advanced persistent threats are those threats that often remain in a system for months together to steal the company’s sensitive data. This stage aims to see if any of the vulnerabilities can potentially achieve a persistent presence in the exploited system.
Finally, in the analysis stage, the pen test results are compiled into a report with details about vulnerabilities that were exploited, sensitive data that was accessed, and the duration the pen tester was able to remain in the system undetected
Security personnel analyze this information and configure the company’s WAF settings and application security solutions to patch the vulnerabilities and protect against future attacks.
Types of penetration testing
Understanding the types of pen test will enable one to choose the most suitable one for their organization as engagements differ in depth, focus and duration. Common ethical hacking engagements include:
In this, an assessment of on-premise and cloud network infrastructure, including system hosts, firewalls, and routers and switches is undertaken. This can be framed either as an internal penetration test or as an external penetration test. An internal pen test focusses on assets inside the corporate network, typically by a tester who can access an application behind its firewall and simulate an attack by a malicious insider. The external penetration test focusses on internet-facing assets and infrastructure, e.g., the company website, the web application itself, and email and domain name servers (DNS). The aim is to gain access to and extract valuable data. To scope a test, it is necessary to know the size of the network subnet, the number of internal and external IPs that are to be tested, and the number of sites.
This is a test that specifically targets an enterprise’s WLAN (wireless local area network) as well as wireless protocols like ZigBee, Bluetooth, and Z-Wave. It helps spot rogue access points, WPA vulnerabilities and weaknesses in encryption. For this, testers should be made aware of the number of wireless and guest networks, locations and unique SSIDs to be assessed.
In this type of testing, websites and custom applications delivered over the web are assessed to uncover design, development and coding flaws that could be exploited.
This is all about testing the mobile applications on operating systems (OS) such as Android and iOS to identify authorisation, data leakage and authentication, authorisation issues. The test providers, to scope a test, will need to know the OS types/versions the app needs to be tested on, the number of API call and requirements for root detection and jail breaking.
In this a review of network builds and configurations is undertaken to spot misconfigurations across web and app servers, firewalls and routers.
In a blind test, the targeted organization’s name alone is given to the tester. This enables the security personnel to get a real-time look into the manner in which an actual application assault takes place.
In a double blind test, the security personnel will have absolutely no prior knowledge of the simulated attack. Just as in the real-world scenario, they will not have the time to put up their defences before an attempted breach.
In this setup, the tester and security personnel work together and keep each other updated on their movements. This proves to be a valuable training exercise, providing the security team with real-time feedback from a hacker’s perspective.
White Box/Black Box/Grey Box penetration testing
It is evident that the amount of information shared before an engagement can have a huge influence on the outcome. Testing style is usually classified as either white box, black box or grey box penetration testing.
White box penetration testing
In white box penetration testing, also termed crystal or oblique box pen testing, full network and system information, network maps and credentials are all shared with the tester. This saves time and reduces costs. A white box penetration test is very useful while a specific system is targeted using maximum attack vectors possible.
Black box penetration testing
In this testing, no information is provided to the tester. The pen tester thus simulates the attack of an unprivileged attacker, from initial access and execution through to exploitation. Such a scenario is deemed to be the most authentic, showing the manner in which an adversary without any inside knowledge would target and compromise an organisation. However, this is for the same reason, the most expensive option as well.
Grey box penetration testing
In this test, also known as a translucent box test, limited information is shared with the tester: for e.g. the login credentials alone.
Through this testing, we can gauge the level of access a privileged user could gain and the potential damage they could being about. A Grey box test is an optimal balance between depth and efficiency and it can help simulate either an insider threat or an external network attack.
In the real world, a persistent adversary will conduct reconnaissance on the target environment, giving them similar knowledge to an insider. With grey box testing, there is an optimal balance between efficiency and authenticity, eliminating the time-consuming reconnaissance phase.
Penetration testing and Web Application Firewalls
Penetration testing and WAFs are exclusive albeit mutually beneficial security measures.
The tester would most likely use WAF data, like logs, to locate and exploit the weak spots of an application. This is true for many kinds of pen testing except blind and double blind tests.
The WAF administrators in turn benefit from pen testing data. Upon completion of a test, they would update the WAF configurations to tighten the security against the weak spots just discovered in the test.
Pen testing, importantly, satisfies some of the compliance requirements for security auditing procedures, PCI DSS and SOC 2 and others. While there are certain standards, such as PCI-DSS 6.6, which can be satisfied only through the use of a certified WAF, it does not make pen testing any less appealing and useful.
Owasp Top 10 Security Vulnerabilities Testing at HURIX
The Hurix testing team especially performs testing that includes taking care of the vulnerabilities that are deemed the most common web application security risks by the Open Web Application Security Project (OWASP). By taking care of these risks and writing codes appropriately and performing robust tests, developers can create secure web applications that can keep their confidential data safe from hackers.
- Broken authentication
- Sensitive Data Exposure or Information Disclosure
- SQL Injection
- Broken Access Control
- Cross Site Scripting
- Insufficient Time Outs
- Insecure Deserialization
- Insufficient Logging an Monitoring
- Link Manipulation
- Cross Site Request Forgery (CSRF)
In conclusion, a pen test is a form of ethical cyber security assessment undertaken to spot and exploit (safely) and eliminate vulnerabilities that are present on a company’s on-premises as well as remote IT environments.
It is recommended that all companies commission security testing annually, with additional assessments post any significant changes to infrastructure, as well as before product launches, mergers and acquisitions. Pen tests with a higher frequency are recommended for companies with very large IT estates, processing large volumes of personal and financial data or with strict compliance requirements to adhere to.
At Hurix, our penetration testing engineers, scan vulnerabilities within your systems and provide information on potential vulnerabilities. Our experts carry out test to find weaknesses in the design of your IT infrastructure and assess the extent to which an attacker is able to gain access to your data.
To know more about Penetration Testing solutions from HurixDigital, please write to us at firstname.lastname@example.org.