Penetrations - Test
What is penetration testing?
Penetration testing is where a someone takes on the role of a hacker and attempts to compromise or gain unauthorised access to a network or an application. Also known as white hat hacking, a qualified professional will make use of automated tools and manual processes to uncover any vulnerabilities and misconfigurations that present a cyber-security risk.
A penetration test will give companies an overview of their security posture, highlighting flaws and allowing them to be patched before they are targeted by malicious hackers. Also known as white hat or ethical hacking, penetration tests are a vital part of an effective security strategy and are a mandatory component of many compliance schemes.
What are the different types of penetration test?
There are several types of penetration testing that can be defined as either black, white or grey box testing. It’s also worth specifying there is a difference between an application test and an infrastructure test. An application test, as the name suggests, is where a tester looks for flaws within an application to see if there’s any way to get at data or manipulate functionality in a way that wasn’t intended. This can involve cookie theft, XSS, man-in-the-middle attacks etc. Infrastructure tests on the other hand are where the tester attempts to gain entrance to a corporate network.
Black box testing
Black box testing is the closest simulation of real-world hacking in that the tester will know very little, if anything about the target other than what is publicly available. These are often the least time-consuming tests as it relies solely on the tester discovering vulnerabilities in outwardly facing components. However, whilst these tests accurately represent real life situations, they will not pick up any vulnerabilities or misconfigurations that may be present internally. Therefore, they cannot predict what damage an internal threat may cause.
White box testing
White box testing offers the most thorough security test in which the tester has a full understanding of the application or infrastructure, how it works and has access from various levels. It’s likely that they’ll even have access to the source code or have a full detailed map of the internal infrastructure. The tester will probe for vulnerabilities and misconfigurations to try and gain access from an external position, as well as look to see what damage can be done from an internal perspective
Grey box testing
Grey box testing is a blend of black and white box testing and is often the most popular type of test. The tester will have a limited knowledge of the target, potentially including some documentation. They will often have basic user level access, allowing for partial testing of the target’s internals.
Network penetration test
A network penetration test is where a cyber professional attempts to breach an organisation’s infrastructure. The tester will check for misconfigurations, outdated software, logical flaws and even look for a means to escalate privileges if they manage to gain access. They will tend to focus on:
Incorrectly stored data
What’s the difference between penetration testing and vulnerability assessments?
The terms penetration test and vulnerability assessment are often wrongly used interchangeably. A vulnerability assessment, or VA scan, is the use of an automated tool to scan a network or application for known vulnerabilities, which can then be patched. A penetration test is a lot more involved and encompasses many aspects, providing you with a more comprehensive overview of your overall security.
A vulnerability scan may well be used in the initial stages of a penetration test to see if there are any easily exploited flaws to work with. The tester will then go a step further, making use of brute-forcing, code injections, social engineering and much more.
A penetration test may make use of an initial vulnerability scan to see if there are any easily exploitable flaws to work with.
What are the stages of a penetration test?
All penetration test projects will start with an accurate scoping. Once the boundaries have been agreed and a goal decided upon, testers will begin some reconnaissance. This is the starting point for any hacker and the beginning of the cyber kill chain. This may include looking for any related URLs or domains that could be considered in scope and increase the attack area or conducting some vulnerability scans on their target. If social engineering is included in the test, recon activity may include searching publicly available sources for staff contact details, staff pass designs or email address formats.
The testers will then attempt to exploit any weakness found to gain unauthorised access. This can often have a trial and error-based approach. If successful, the tester will find out the extent of a hacker’s potential reach, compile some evidence and then provide a detailed report along with remediation advice.
Tests will often follow these steps:
What is social engineering?
Social engineering is the process of leveraging the human aspect of a business in order to compromise security. The most common form of this is phishing. This involves tricking users via email into following a malicious link, downloading malware or submitting their credentials.
This is often the easiest way for a hacker to compromise a business. No matter how formidable your cyber security is, a member of staff can easily undo it all. In 2019, phishing attacks attempting to get ransomware into businesses had risen 109% from 2017.
Social engineering is a fancy term for what can often be a simple approach. How many times have you received an email that looks like the following?
Your Outlook password is due to expire and requires resetting. Please follow this link to reset it.
That link will no doubt direct you to a malicious portal owned by hackers intent on getting your password and, if you clicked the link and reset your password, then they’ll have it. When booking a penetration test, many companies choose to include an element of social engineering in order to test their staff’s susceptibility to phishing.
Some important things to look out for is poor spelling and grammar, both in the body text and the email address.