What is Penetration Testing?

-

What is Penetration Testing?


In a penetration test or pen test for short, authorized hackers simulate an attack on a specific application, site or set of apps and sites to assess their security. A pen test is designed with a specific goal in mind, such as to gain privileged access to a sensitive system or to steal data from a system that is believed to be secure1.

It's the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. The weak points of a system are exploited in this process through an authorized simulated attack.
The purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to the system. Once the vulnerability is identified it is used to exploit the system to gain access to sensitive information.
A penetration test is also known as the pen test and a penetration tester is also referred to as an ethical hacker.
We can figure out the vulnerabilities of a computer system, a web application or a network through penetration testing.
A penetration test tells whether the existing defensive measures employed on the system are strong enough to prevent any security breaches. Penetration test reports also suggest the countermeasures that can be taken to reduce the risk of the system being hacked.
  1. Find a Vulnerability 
  2. Design an attack 
  3. Appoint team of ethical hackers 
  4. Determine what kind of data they could steal 
  5. Act on the findings

What Should Be Tested?

  • Software (Operating system, services, application)
  • Hardware
  • Network
  • Processes
  • End-user behavior

Causes Of Vulnerabilities

  • Design and development errors: There can be flaws in the design of hardware and software. These bugs can put your business-critical data at the risk of exposure.
  • Poor system configuration: This is another cause of vulnerability. If the system is poorly configured, then it can introduce loopholes through which attackers can enter into the system & steal the information.
  • Human errors: Human factors like improper disposal of documents, leaving the documents unattended, coding errors, insider threats, sharing passwords over phishing sites, etc. can lead to security breaches.
  • Connectivity: If the system is connected to an unsecured network (open connections) then it comes in the reach of hackers.
  • Complexity: The security vulnerability rises in proportion to the complexity of a system. The more features a system has, the more chances of the system being attacked.
  • Passwords: Passwords are used to prevent unauthorized access. They should be strong enough that no one can guess your password. Passwords should not be shared with anyone at any cost and passwords should be changed periodically. In spite of these instructions, at times people reveal their passwords to others, write them down somewhere and keep easy passwords that can be guessed.
  • User Input: You must have heard of SQL injection, buffer overflows, etc. The data received electronically through these methods can be used to attack the receiving system.
  • Management: Security is hard & expensive to manage. Sometimes organizations lack behind in proper risk management and hence vulnerability gets induced in the system.
  • Lack of training to staff: This leads to human errors and other vulnerabilities.
  • Communication: Channels like mobile network, internet, telephone opens up security theft scope.

Why Penetration Testing?

You must have heard of the WannaCry ransomware attack that started in May 2017. It locked more than 2 lakh computers around the world and demanded ransom payments in the Bitcoin cryptocurrency. This attack has affected many big organizations around the globe.
With such massive & dangerous cyber-attacks happening these days, it has become unavoidable to do penetration testing on regular intervals to protect the information systems against security breaches.
So, Penetration Testing is mainly required for:
  • Financial or critical data must be secured while transferring it between different systems or over the network.
  • Many clients are asking for pen testing as part of the software release cycle.
  • To secure user data.
  • To find security vulnerabilities in an application.
  • To discover loopholes in the system.
  • To assess the business impact of successful attacks.
  • To meet the information security compliance in the organization.
  • To implement an effective security strategy in the organization.
Any organization needs to identify security issues present in the internal network and computers. Using this information organization can plan a defense against any hacking attempt. User privacy and data security are the biggest concerns nowadays. Imagine if any hacker manages to get user details of social networking site like Facebook. The organization can face legal issues due to a small loophole left in a software system. Hence, big organizations are looking for PCI (Payment Card Industry) compliance certifications before doing any business with third-party clients.

Penetration Testing Tools And Companies

Automated tools can be used to identify some standard vulnerability present in an application. Pentest tools scan code to check if there is a malicious code present which can lead to the potential security breach. Pentest tools can verify security loopholes present in the system by examining data encryption techniques and figuring out hard-coded values like username and password.
Criteria to select the best penetration tool:
  • It should be easy to deploy, configure and use.
  • It should scan your system easily.
  • It should categorize vulnerabilities based on severity that needs an immediate fix.
  • It should be able to automate the verification of vulnerabilities.
  • It should re-verify exploits found previously.
  • It should generate detailed vulnerability reports and logs.
Once you know what tests you need to perform you can either train your internal test resources or hire expert consultants to do the penetration task for you.

Penetration Testing Sample Test Cases (Test Scenarios)

Remember this is not functional testing. In Pentest your goal is to find security holes in the system. Below are some generic test cases and not necessarily applicable to all applications.
  1. Check if the web application is able to identify spam attacks on contact forms used on the website.
  2. Proxy server – Check if network traffic is monitored by proxy appliances. The proxy server makes it difficult for hackers to get internal details of the network thus protecting the system from external attacks.
  3. Spam email filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked.
  4. Many email clients come with inbuilt spam filters which need to be configured as per your needs. These configuration rules can be applied to email headers, subject or body.
  5. Firewall – Make sure the entire network or computers are protected with Firewall. A Firewall can be software or hardware to block unauthorized access to a system. A Firewall can prevent sending data outside the network without your permission.
  6. Try to exploit all servers, desktop systems, printers, and network devices.
  7. Verify that all usernames and passwords are encrypted and transferred over secured connection like https.
  8. Verify information stored in website cookies. It should not be in a readable format.
  9. Verify previously found vulnerabilities to check if the fix is working.
  10. Verify if there is no open port in the network.
  11. Verify all telephone devices.
  12. Verify WIFI network security.
  13. Verify all HTTP methods. PUT and Delete methods should not be enabled on a web server.
  14. Verify if the password meets the required standards. The password should be at least 8 characters long containing at least one number and one special character.
  15. Username should not be like “admin” or “administrator”.
  16. The application login page should be locked upon a few unsuccessful login attempts.
  17. Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password”.
  18. Verify if special characters, HTML tags, and scripts are handled properly as an input value.
  19. Internal system details should not be revealed in any of the error or alert messages.
  20. Custom error messages should be displayed to end user in case of web page crash.
  21. Verify use of registry entries. Sensitive information should not be kept in the registry.
  22. All files must be scanned before uploading to the server.
  23. Sensitive data should not be passed in URLs while communicating with different internal modules of the web application.
  24. There should not be any hard coded username or password in the system.
  25. Verify all input fields with long input string with and without spaces.
  26. Verify if reset password functionality is secure.
  27. Verify application for SQL Injection.
  28. Verify application for Cross Site Scripting.
  29. Important input validations should be done at server side instead of JavaScript checks at the client-side.
  30. Critical resources in the system should be available to authorized persons and services only.
  31. All access logs should be maintained with proper access permissions.
  32. Verify user session ends upon log off.
  33. Verify that directory browsing is disabled on the server.
  34. Verify that all applications and database versions are up to date.
  35. Verify URL manipulation to check if a web application is not showing any unwanted information.
  36. Verify memory leak and buffer overflow.
  37. Verify if incoming network traffic is scanned to find Trojan attacks.
  38. Verify if the system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
  39. Verify if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or a single computer with continuous requests due to which resources on the target system gets overloaded resulting in the denial of service for legit requests.
  40. Verify application for HTML script injection attacks.
  41. Verify against COM & ActiveX attacks.
  42. Verify against spoofing attacks. Spoofing can be of multiple types – IP address spoofing, Email ID spoofing,
  43. ARP spoofing, Referrer spoofing, Caller ID spoofing, Poisoning of file-sharing networks, GPS spoofing.
  44. Check for uncontrolled format string attack – a security attack that can cause the application to crash or execute the harmful script on it.
  45. Verify XML injection attack – used to alter the intended logic of the application.
  46. Verify against canonicalization attacks.
  47. Verify if the error pages are displaying any information that can be helpful for a hacker to enter into the system.
  48. Verify if any critical data like the password is stored in secret files on the system.
  49. Verify if the application is returning more data than it is required.
These are just the basic test scenarios to get started with Pentest. There are hundreds of advanced penetration methods which can be done either manually or with the help of automation tools.
What are the types of pen tests?

·        Open-box pen test - In an open-box test, the hacker will be provided with some information ahead of time regarding the target company’s security info.

·        Closed-box pen test - Also known as a ‘single-blind’ test, this is one where the hacker is given no background information besides the name of the target company.

·        Covert pen test - Also known as a ‘double-blind’ pen test, this is a situation where almost no one in the company is aware that the pen test is happening, including the IT and security professionals who will be responding to the attack. For covert tests, it is especially important for the hacker to have the scope and other details of the test in writing beforehand to avoid any problems with law enforcement.

·        External pen test - In an external test, the ethical hacker goes up against the company’s external-facing technology, such as their website and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location or carrying out the test from a truck or van parked nearby.

·        Internal pen test - In an internal test, the ethical hacker performs the test from the company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall.

Comments

Post a Comment

Popular posts from this blog

What is Microsoft SharePoint ?

-
Microsoft SharePoint is a web-based collaborative platform that integrates with Microsoft Office. It's primarily used for document management and storage but also offers a wide range of capabilities such as intranet, content management, workflow management, business intelligence, and enterprise search. SharePoint allows users to create sites where they can share documents, information, and ideas within their organization. These sites can be customized to fit specific needs, such as team collaboration, project management, or departmental portals. Some key features of SharePoint include: Document Management: Users can upload, store, organize, and share documents within SharePoint sites. Version control ensures that users are always working with the latest version of a document. Collaboration: SharePoint facilitates collaboration among team members through features like document co-authoring, discussion boards, calendars, and task lists. Intranet and Portals: SharePoint can be used...
Read more

General Cybersecurity

-
What is perimeter security?  Perimeter security, in the context of cybersecurity, refers to the measures and strategies implemented to protect an organization's internal network from external threats. It establishes a boundary, or perimeter, between the organization's internal network and the external environment, such as the internet. The goal of perimeter security is to prevent unauthorized access, attacks, and breaches from reaching the internal network and its resources. Here are some key components and concepts related to perimeter security: Firewalls: Firewalls are the cornerstone of perimeter security. They inspect incoming and outgoing network traffic based on predefined rules and policies. Firewalls can block or allow traffic based on factors such as IP addresses, port numbers, and protocols. Intrusion Detection and Prevention Systems (IDPS): IDPS solutions monitor network traffic for signs of malicious activity or known attack patterns. They can detect and prevent i...
Read more

Well-Architected Framework | Solution Architect

-
The Well-Architected Framework is a set of best practices and guidelines designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. The framework is developed by AWS (Amazon Web Services), but similar principles can be applied to other cloud platforms. The Well-Architected Framework consists of five pillars, each addressing a key aspect of building well-designed and well-operated systems. These pillars are: Operational Excellence: Focuses on operational practices that ensure efficient and effective use of cloud resources. Key considerations include monitoring, incident response, automation, and overall operational health. Security: Emphasizes the importance of implementing robust security measures to protect data, systems, and assets. Covers data protection, identity and access management, and incident response, among other security aspects. Reliability: Aims to ensure a system's ability to recover from failures ...
Read more