Security Penetration Testing

Security Penetration Testing, also referred to as Pen Testing is an authorised simulated cyberattack on an IT system, performed to evaluate the security of the system. The output of the test would be a report to help the organisation understand their system’s potential vulnerabilities in order to take steps to rectify it. 

A Security Penetration Test incorporates an internal and external security test of a client’s complete IT system:  

• The external internet facing ‘footprint’ of a client  
• Internal, onsite testing of a client’s network including:  

• • Servers  
  • Network infrastructure  
  • Wireless networks  
  • VOIP phone infrastructure
  • A security review of specific applications, with a focus on authentication and authorisation methods, password policies and user management.  

A good 3rd party supplier should perform the following regime of testing:   

Part One – External Penetration Testing

Conduct an External Infrastructure Vulnerability Assessment and Penetration Test across external IP addresses from an unauthenticated perspective (without credentials) to identify vulnerabilities or areas that could lead to unauthorised access or the exposure or loss of sensitive data from an internet-based threat.  

In addition, conduct a focused External Web Application Penetration Test (including Outlook Web Access and Remote Access) from an unauthenticated perspective (without credentials).  

This can also include an unauthenticated penetration test of specific applications. These could be cloud–based applications and include integration testing with the client’s internal Management systems, with a focus on authentication and authorisation methods, password policies and user management. 

 Part Two – Internal Testing and Wi-Fi Penetration Testing  

Conduct Internal Network Infrastructure Vulnerability Assessment of Servers and Workstations / telephones. In addition, while onsite, conduct a Wireless Penetration Test across Wi-Fi networks.  

Approaches to External and Internal Penetration Testing 

The overall approach is designed to be comprehensive in scope, yet very targeted so that in a short period of time, identify critical issues and vulnerabilities, and provide the client with immediate and practical steps to reduce the priority risk areas in the context of their organisation’s environment.  

Approach to Part One – External Penetration Testing  

 The testing approach is based on a number of recognised industry standards including the “Open Web Application Security Project (OWASP), Top 10”, the SysAdmin, Audit, Networking, and Security (SANS) “Top 25”, The Web Application Security Consortium Threat Classification and NIST SP 800-115.  

The use of this methodology means that the client will receive the benefit of a proven, well-known ‘best practice’ approach to security testing, ensuring that well recognised ‘attack-vectors’ are comprehensively evaluated.  

Vulnerability scanning is the act of identifying potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. The key word is ‘potential’. Vulnerability scanners merely identify potential vulnerabilities; they do not always assess the ability to exploit the vulnerability. Generally speaking, anyone with networking experience could run a vulnerability scanner, however it requires someone with significant networking and security experience to correctly configure scans of Production environments and interpret the multitude of results generated by a vulnerability scanner.  

Penetration testing takes the results of a vulnerability scan and with the use of a number of approaches, techniques and tools, attempts to use the vulnerabilities identified to compromise devices. Penetration testing tools are much more sophisticated than vulnerability scanners and require a significant amount of experience to use effectively and safely. There are varying levels of penetration tests ranging from ‘sanitised exploits’ that can validate the existence of vulnerability through to the actual compromise and control of a system, device or database.  

The analysis is carried out from the position of a potential attacker. Once potential threats and vulnerabilities have been identified the penetration test involves attempts to actively exploit security vulnerabilities with the goal of the test being to ascertain whether unauthorised access to key data and systems can be achieved and to determine the feasibility of an attack and the amount of business impact of a successful exploit, if discovered. Any security issues that are found will be presented together with an assessment of their impact and a proposal for mitigation or a technical solution prior to attempts to perform any exploitation of vulnerabilities.  

Approach to Part Two – Internal Testing and Wi-Fi Penetration Testing   

The approach to the Internal Testing component is very similar to Part One. In addition to this, an onsite test of the wireless network physically located at the client’s office will be performed, with the view to seeing whether access is able to be gained to the network externally.  

Typically, the review will consist of an examination of the following aspects;  

• Wireless encryption protocols  
• Authentication mechanisms  
• Encryption key management  
• Wireless network zoning  
• Infrastructure technologies  
• Access Point configuration issues  
• Vulnerability issues  
• Account Management  
• User segregation / privilege escalation  
• Review of guest user access (e.g. external ports and protocols)  

 Once potential threats and vulnerabilities have been identified it will be ascertained whether unauthorised access to the network and systems can be achieved and then to determine the feasibility of an attack and the potential business impact of a successful exploit, if discovered. Any security issues that are found will be presented together with an assessment of their impact and a proposal for mitigation or a technical solution prior to attempts to perform any exploitation of vulnerabilities.  

This approach to testing is uniquely valuable because:  

1. Testing reflects the unique business and industry environment of each client. The inherent risk within different industries and client environments means that value-added test must be tailored to address the unique environment in which a system is operating. 
2. Adiverse toolset is used to thoroughly evaluate an environment. The belief is that “one tool does not fit all”, and as such a range of commercial and open source tools is leveraged to test an environment that is unique to each client’s situation. 
3. Automated and manual, iterative testing. An effective test requires an ongoing, exploratory process of gaining information and determining how best to progress. Few tools can effectively mimic the process of learning, exploration, evaluation and exploitation.
4. Clear, concise and effective communication to key constituents. A scan or test is only one part of a successful project. Communicating the results to a range of diverse constituents is what makes the results actionable.The essential “so what – now what” perspective needed for senior executives to make decisive decisions is provided, but also the technical detail for programmers or engineers who need specific advice on how best to resolve a particular issue.  

Deliverables and Timing 

At the conclusion of this testing, the client will receive a comprehensive but concise Management Report that identifies apparent threats and risk exposures as per the previously described scope. The “checklist report” will highlight key, prioritised issues to be considered for resolution. These will be factually based and aligned within the context and business of the client.   

This will include an executive summary level explanation of any issues identified, including detailed information on how the client can close technical vulnerabilities that have been identified.  

Specifically, the deliverable findings will be presented in a comprehensive document that includes:   

1 a. An executive summary which provides senior management with a summary and non-technical description of any vulnerabilities
1 b. Detailed findings of each item found
1 c. Pragmatic recommendations for remediation of risk identified, and in the context of the client’s business and security requirements
1 d. Details of the scope and timing of the assessment; and
1 e. Where appropriate, additional information collected during the review. 

The overall timing of the project would extend over a two (2) to three (3) week calendar period.  

If you’re interested in conducting robust Security Penetration Testing with the help of senior, experienced professionals, contact us.