VULNERABILITY: Network Target Penetration Testing Planning (en)
Testing Environment and Platform Selection
In this article, we will discuss the testing environment and how we choose the selected platform. Here we will cover the following:
- Introduction to advanced penetration testing.
- How to be successful in your testing?
- What needs to be prepared before testing.
- Setting boundaries - nothing lasts forever.
- Planning actions.
Introduction to Advanced Penetration Testing
Penetration testing is necessary to understand the actual attack footprint of our environment. It is often confused with vulnerability assessment, and therefore, it is crucial that the difference is fully explained to your clients.
Vulnerability Assessment
Vulnerability assessment is necessary to find potential vulnerabilities across the environment. There are many tools available that can automate this process so that even inexperienced security professionals or network administrators can effectively determine the security posture of their environment. Depending on the scope, additional manual testing may also be required. Full exploitation of systems and services is generally not within the scope of a normal vulnerability assessment.
In conducting a vulnerability assessment, systems are usually scanned and evaluated for vulnerabilities, and testing can often be performed with or without authentication. Most vulnerability management and scanning solutions provide actionable reports as a reference for testers detailing mitigation strategies such as applying missing patches or correcting insecure system configurations. Therefore, testers will conduct their analysis and make recommendations based on this.
Penetration Testing
Penetration testing can extend upon vulnerability assessment efforts by exploiting into the target environment.
Penetration testing allows a company to understand if the mitigation strategies used are actually working as expected; it essentially tests the existing plan. Penetration testers are expected to mimic actions that an attacker would perform, and they will be challenged to prove that they can compromise targeted critical systems. The most successful penetration tests result in penetration testers being able to prove beyond a doubt that the vulnerabilities found could lead to significant business impact or revenue loss unless properly addressed. Imagine the loss/reputation damage you could prove to a client if you can show that in fact, anyone in the world has easy access to their most confidential information!
Penetration testing requires deeper and broader knowledge than needed for vulnerability analysis. This generally means that the cost of penetration testing will be much higher than a vulnerability analysis. If you cannot penetrate a network, you will reassure your client that their system is secure as far as you know. This should be demonstrated not only by your inability to breach their network but also by showing what you tried and demonstrating that it did not work because of the mitigation. If you want to sleep well at night, then it's advisable you go far above and beyond just verifying your client's security. Advanced Penetration Testing
Some environments will be more secure than others. You may be faced with environments that use:
- Effective patch management procedures.
- Managed system configuration testing policies.
- Multi-layered DMZs.
- Centralized security log management.
- Host-based security controls.
- Network or wireless intrusion detection or prevention systems.
- Web application intrusion detection or prevention systems.
- End-user security, executive security, and insider threats.
The use of effective controls will significantly increase the difficulty level of penetration testing. Clients should have full confidence that the security mechanisms and procedures employed can protect the integrity, confidentiality, and availability of their systems. They also need to understand that sometimes attackers can breach systems due to configuration errors, poor IT architecture design, and opportunities for social engineering.
There is no silver bullet in security. As penetration testers, it is our job to look at issues from all angles and make clients aware of all the possible avenues an attacker might take to impact their operations.
Advanced penetration testing goes beyond standard/regular penetration testing by utilizing the latest security research and exploitation methods available. The goal is to prove that sensitive data and systems are protected even from targeted attacks and, if not, to ensure that clients receive the right input on what needs to change and understand the importance of maintaining a solid incident response program, because there is always a possibility of breach.
Penetration testing is a snapshot of the current security posture. Penetration testing should be done continuously.
Many exploitation methods require trained penetration testers who are eager to keep learning and require hands-on experience to execute effectively and efficiently. Only through dedication, effort, training, and willingness to explore unknown areas can penetration testers mimic the types of targeted attacks that malicious hackers out there would conduct.
Often, you will be asked to conduct penetration testing as part of a team, and need to know how to use the tools available to make the process more sustainable and efficient. This is another challenge faced by pentesters today. Working in silos is not an option when your scope limits you to a very tight testing timeline.
In some situations, a company may use non-standard methods to ensure their data security, which makes your job harder. The complexity of their security systems working in conjunction with each other might be the weakest link in their security strategy.
The likelihood of finding exploitable vulnerabilities is directly proportional to the complexity of the environment being tested.
Before Conducting Testing
Before we start penetration testing, there are requirements that need to be considered. You need to determine the exact scope of the testing, the timeframe, limitations, type of testing (white box/black box), and how to handle third-party equipment and IP areas.
Before you can accurately define the scope of testing, you need to gather as much information as possible. It is important that the following points are fully understood before starting the testing procedure:
- Who is authorized to give testing permission?
- What is the purpose of the testing?
- What is the proposed timeframe for the testing? Are there limitations on when testing can be conducted?
- Does your client understand the difference between vulnerability evaluation and penetration testing?
- Will you be conducting the testing with, or without cooperation with the IT security operational team? Are you testing its effectiveness?
- Is social engineering allowed? How about denial-of-service attacks?
- Can you test the physical security measures used to secure servers, critical data storage, or anything else that requires physical access? For example, testing access doors, impersonating employees to enter buildings, or just walking into areas for the general public.
- Are you allowed to view network documentation or be informed about the network architecture before testing to speed everything up? (Not necessarily recommended, as this can cast doubt on the value of your findings. Most companies/institutions do not expect this to be information easily found by you).
- What is the allowed IP range for testing? There are laws against scanning and testing systems without proper permission. Be careful when ensuring that these devices and ranges actually belong to your client, or you may be in danger of facing legal consequences.
- Where is the physical location of the company? This is more valuable to you as a tester if social engineering is allowed because this ensures you are in the approved building when conducting testing. If time allows, you should inform your client whether you can access this information publicly in case they have the impression that their location is secret or hard to find.
- What should be done if there is an issue or if the initial goal of the testing has been done and achieved? Will you continue testing to find more entries, or is the testing done? This part is very important and relates to the question of why the client wants a penetration test.
- Are there legal implications you need to be aware of, such as systems being in different countries, and so on? Not all countries have the same laws when it comes to penetration testing.
- Will there be additional permissions after vulnerabilities are exploited? This is important when testing on segmented networks. Clients may not be aware that you can use internal systems as a channel to dig deeper into their network.
- How are databases handled? Are you allowed to add records, users, etc.?
This list is not exhaustive, and you may need to add questions to the list depending on your client's requirements. Most of this data can be gathered directly from the client, but some will have to be handled by your own team.
If there are legal concerns, it is advisable that you seek legal counsel to ensure you fully understand the implications of your testing. It is better to have too much information than not enough when it is time to start testing. However, you should always verify yourself that the accuracy of the information you provide. You do not want to find that the systems you access are actually not under your client's authority!
It is crucial to obtain the proper authorization in writing before accessing your client's systems. Failure to do so could result in legal action and possibly jail. Use proper judgment! You also need to consider the use of insurance as a necessity when conducting penetration testing.
Setting Boundaries - Nothing Lasts Forever.
Setting proper boundaries is crucial if you want to be successful in conducting penetration testing. Your client needs to understand the full consequences that occur, and they should be informed of additional costs incurred if services beyond those listed in the contract are required.
Be sure to clearly define the start and end dates for your services. Clearly define the Rules of Engagement including IP ranges, buildings, hours, and so forth that may need to be tested. If it is not in your Rules of Engagement documentation, do not test it. Meetings should be set before the start of testing, and the client should know exactly what deliverables you will provide.