Penetration Testing
One way of categorising penetration test types is by the amount of information provided to the tester. In the main, there are three types of tests: black box, white box and grey box. In a black box assessment, the tester is usually provided with no information except for the scope of the test (e.g., IP addresses or specific domains). In a white box assessment, the tester is provided with full access to necessary information such as network diagrams, credentials or application source code. A grey box assessment, as its name suggests, lies somewhere between a black and a white box assessment, where the tester is provided with some information (e.g., low privilege credentials) but not full access to the assets to test (e.g., administrative credentials or source code).
URM is able to provide penetration testing services against all assets associated with your organisation, location or service (e.g., external and internal networks, cloud environments, web or mobile applications).
Ideally, the decision on what systems to test should be based on the relevant threat model and the objectives of the test. For example, if your organisation is offering a business solution for your clients in the form of a web application hosted on AWS and you need to provide assurance to your clients that your solution is secure, you may consider testing the web application from an application layer, but also the underlying infrastructure exposed to the Internet. You may also consider performing a configuration review of your AWS environment to obtain assurance that different attack vectors are covered.
URM has produced a white paper where we provide practical advice on how to decide what to test.
Again, deciding which type of penetration test to conduct should depend on your organisation’s requirements and the objective that the test needs to satisfy. Using the above example, if the AWS web application is multi-tenanted, it would make sense to perform a white or grey box web application penetration test to test from the perspective of a malicious client trying to access other clients’ data. It would also be beneficial to test from the perspective of user roles with different privileges to identify any vertical and horizontal privilege escalation vector. However, it may be sufficient to perform a black box penetration test on the underlying hosting server.
and penetration testing?
Vulnerability scanning is an automated process that identifies potential security vulnerabilities in a system, while penetration testing is a manual process that attempts to exploit the identified vulnerabilities in order to gain access to the system. Vulnerability scans are an excellent way to identify missing patches, vulnerable system configurations and vulnerabilities that can be found in an automated way. However, they lack human intelligence, they lack context, can be prone to false positives and may have adverse effects when testing with high privileges. A penetration test can complement a vulnerability scan by adding the human element. This allows penetration testers to identify vulnerabilities that require an understanding of the context, to chain together multiple vulnerabilities to obtain a higher impact, perform privilege escalation or lateral movement after exploiting a vulnerability to access more data and systems. Penetration tests can help assess the business impact that the organisation may suffer in the event that these vulnerabilities were exploited by a malicious attacker.
Realistically, yes. However, when and how often to perform them can vary. Vulnerability scans are faster and cheaper to carry out and can provide an overview of the system's security posture, while penetration tests are more expensive and provide a more detailed assessment of the system's security. As a rule of thumb to minimise the exposure to risk while minimising the cost of security assessments, it is recommended that vulnerability scans are performed regularly in order to identify new vulnerabilities as early as possible and that penetration tests are performed whenever major changes are applied to a system following the previous penetration test.
and internal penetration tests?
External penetration tests focus on testing the security of the system from outside the network, while internal penetration tests focus on testing the security of the system from within the network. Additionally, external penetration tests typically involve testing the system from the perspective of an unauthenticated attacker, while internal penetration tests can involve testing the system from the perspective of an authorised low privilege user.
Penetration testing tools vary depending on the type of test being conducted, but some of the most commonly-used tools include port scanners, vulnerability scanners, network sniffers, web proxy servers and specific wireless adapters.
Penetration testing requires a wide range of skills, including knowledge of networking protocols, operating systems, programming languages, and security tools. Additionally, the tester must have an understanding of security principles, an analytical mindset, and the ability to ‘think outside the box’.
In order to identify security vulnerabilities before a malicious threat actor does and to obtain a prioritised list of remediations that can help reduce risks for your organisation.
The benefits of conducting penetration tests include identifying potential security vulnerabilities, obtaining a prioritised list of remediation to fix those vulnerabilities, and providing a better understanding of the actual system's security posture. Additionally, penetration tests can help organizations comply with industry regulations and standards, such as the Health Insurance Portability and Accountability Act ( HIPAA) and Payment Card Industry Data Security Standard (PCI DSS).
In URM’s experiences, many organisations are not maximising their investment in penetration tests and not fully realising the benefits. Here we provide practical advice on what your organisation can do.
The cost of penetration testing can vary according to the scope and complexity of the test. Generally, the cost of a penetration test can range from a few thousand pounds to tens or hundreds or thousands of pounds.
The length of a penetration test can vary according to the scope and complexity of the test. Generally, a penetration test can take anything from a few days to several weeks to complete.
It is recommended that penetration tests are conducted on a regular basis, with the frequency varying in accordance with your organisation’s specific requirements. Organisations often perform penetration tests annually or bi-annually. However, it is recommended that your organisation conducts a penetration test following the introduction of any major changes to the system or network, such as the introduction of a new functionality or system.
Yes, there are risks involved in conducting penetration tests. These risks include the potential for data loss, disruption of services, and legal or regulatory violations.
performing a penetration test?
Before performing a penetration test, you should consider safeguards such as establishing a clear scope of work, agreeing clear rules of engagement, obtaining authorisation from any third party hosting your systems, identifying any assets that require extra precautions (e.g., business critical systems that require high availability), performing backups of systems, implementing procedures to revert the status of the systems to prior to the test, and ensuring that the test is conducted in a safe environment (e.g., stating pre-production).
In preparation, you should gather requirements from all relevant stakeholders, which may include IT, business owners, clients, legal, etc. If possible, your test environment should be set up to be as similar as possible to the production environment (e.g., in a state that represents normal use with users, data, etc.) where testers can add, delete, modify data without impacting the business. Authorisation should be obtained from any relevant party and all relevant parties (business owners, tech team, etc.) should be informed that the test is taking place. All the necessary prerequisites should be issued to the testing provider before the test commencement date. Ideally, a regular authenticated vulnerability scan should be conducted and any remediation actions carried out before performing a penetration test. You should also ensure that the penetration tester’s IP is whitelisted from active protection mechanisms such as IPS and WAFs to avoid slowing down the test and reducing the number of checks performed in the time available for the test.
URM has produced a white paper where we provide practical advice on how to best prepare for your pen test.
You should do as much as possible to facilitate the test and be readily available in the event that testers need any blockers removed (e.g., test user not having permissions to login to the target systems or getting locked out). Naturally, you should avoid actively blocking and disrupting the testing activities. A penetration test is not a red team engagement. You should also avoid implementing any development work or making major changes to the environment being tested. It can be useful to monitor logs and alerts being generated during a test to evaluate the effectiveness of the monitoring capabilities in place.
Following a penetration test, you should analyse the results and make a plan to remediate the vulnerabilities identified. The pen test report should contain a prioritised list of findings. You should acknowledge the risk rating and priorities suggested by the pen test provider, but also apply your knowledge of internal systems, business objectives and any compensating controls you have in place to implement the most effective risk mitigation strategy for your organisation. In the same way, you should analyse the recommended solutions offered by the pen test provider and implement the solutions that work best for you. Once you have fixed the identified vulnerabilities, you should perform a retest to ensure that the solutions implemented effectively mitigate the risks.
When appointing a pen test provider, you should look for someone with experience and expertise in the field, as well as a good understanding of the target systems. You should ensure that your pen tester is involved in scoping calls and select a provider that listens and responds to your requirements and not one who ‘pushes’ a standard service offering. IT is recommended that you request a sample report and examine whether findings are clearly explained, whether the report provides steps to replicate the issues and whether remediation actions are clear and logical. You should explore whether the provider’s methodology fully meets your requirements, in particular where there is a requirement to test more unusual systems and assets such as mainframes, bespoke hardware or uncommon network protocols. Your provider should also offer a debrief meeting and provide the opportunity for you to ask questions about the findings. You should also investigate whether the provider offers a retest policy and what it comprises. You need reassurance that any remediation has been successful.
URM has produced a white paper where we provide practical advice on selecting the most appropriate provider.
Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever
URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.
URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.
URM’s blog discusses the security risks associated with the software supply chain & how both software developers and their clients can mitigate these risks.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes