Security issues uncovered through the penetration test are presented to the system's owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
1. Determining the feasibility of a particular set of attack vectors
2. Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
3. Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
4. Assessing the magnitude of potential business and operational impacts of successful attacks
5. Testing the ability of network defenders to successfully detect and respond to the attacks
6. Providing evidence to support increased investments in security personnel and technology
Penetration Testing Defined
There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing as the two phrases are commonly interchanged. However, their meaning, and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.
What is a Penetration Testing Tool?
Penetration Testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency, and discover issues that might be difficult to find using manual analysis techniques alone. Two common penetration testing tools are static analysis tools and dynamic analysis tools. Veracode performs both dynamic and static code analysis and finds security vulnerabilities that include malicious code as well as the absence of functionality that may lead to security breaches. For example, Veracode can determine whether sufficient encryption is employed and whether a piece of software contains any application backdoors through hard-coded user names or passwords. Veracode's binary scanning approach produces more accurate testing results, using methodologies developed and continually refined by a team of world-class experts. And because Veracode returns fewer false positives, penetration testers and developers can spend more time remediating problems and less time sifting through non-threats.
Manual Penetration Test
Manual Penetration Testing layers human expertise on top of professional penetration testing software and tools such as automated static binary and automated dynamic analysis when assessing high assurance applications. A manual penetration test provides complete coverage for standard vulnerability classes, as well as other design, business logic, and compound flaw risks that can only be detected through manual testing.
Penetration Testing Methodology
Once the threats and vulnerabilities have been evaluated, design the penetration testing to address the risks identified throughout the environment. The penetration testing should be appropriate for the complexity and size of an organization. All locations of sensitive data, all key applications that store, process, or transmit such data, all key network connections, and all key access points should be included. The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. If access is achieved, the vulnerability should be corrected and the penetration testing re-performed until the test is clean and no longer allows unauthorized access or other malicious activity.
Internal Penetration Test
An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.
Internal Penetration Test follows documented security testing methodologies which can include:
• Internal Network Scanning
• Port Scanning
• System Fingerprinting
• Services Probing
• Exploit Research
• Manual Vulnerability Testing and Verification
• Manual Configuration Weakness Testing and Verification
• Limited Application Layer Testing
• Firewall and ACL Testing
• Administrator Privileges Escalation Testing
• Password Strength Testing
• Network Equipment Security Controls Testing
• Database Security Controls Testing
• Internal Network Scan for Known Trojans
• Third-Party/Vendor Security Configuration Testing
The report generated as the output of this work is designed for both executive/board level and technical staff.
Why should we perform an Internal Penetration Test?
Internal Penetration testing allows organisations to test, if an attacker had the equivalent of internal access how they may they may have access to perform unauthorised data disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).
The internal network, (file servers, workstations, etc.), of the organisation is exposed to threats such as external intruders, after breaching perimeter defences, or malicious insiders attempting to access or damage sensitive information or IT resources. Therefore organisations are encouraged to test the internal network at least as frequently as they do the external perimeter.
Best Practice recommends that each organisation perform an Internal Penetration Test as part of their regular Security Program in order to ensure the security of their internal network defenses.
External Penetration Test
An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness.
External Penetration Test follows best practice in penetration testing methodologies which includes:
• Public Information & Information Leakage
• DNS Analysis & DNS Bruteforcing
• Port Scanning
• System Fingerprinting
• Services Probing
• Exploit Research
• Manual Vulnerability Testing and Verification of Identified Vulnerabilities
• Intrusion Detection/Prevention System Testing
• Password Service Strength Testing
• Remediation Retest (optional)
Why Should I Perform an External Penetration Test?
IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organisation to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorised disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).
The Internet-facing components (website, email servers, etc.) of the organisation’s network are constantly exposed to threats from hackers.
Best Practice requires that each organisation should perform an External Penetration Test in addition to regular security assessments in order to ensure the security of their external network.