What is a pen test?
A penetration test (pen test) is an exercise, conducted by a careful, skilled assessor, that seeks to discover, exploit and report on vulnerabilities in the target asset(s).
Penetration testing almost always includes a vulnerability assessment, where the assessor will use scanning tools in an attempt to identify known vulnerabilities in the target asset(s). Pen testing builds on vulnerability assessment however, since the assessor will use automated and manual techniques to first confirm that the reported vulnerabilities are real (not false positives) before then seeking to exploit those vulnerabilities in order to engineer a successful attack, within any pre-agreed constraints or conditions.
How does A capability maturity review benefit your business?
Pen testing includes both automated and manual tools and techniques that allow the assessor to simulate an attack where the attacker targets asset(s) that may (as defined within the scope of the assessment) include:
- Applications, including web applications and services.
- Infrastructure, including fixed and wireless networks, networking components, servers and operating systems, and telephony equipment.
- Client and mobile devices including laptops, browsers, mobile phones and desktop systems.
- Cloud services such as infrastructure running within Azure or AWS.
Penetration testing can benefit your business in a number of ways. Most obviously, pen testing will provide you with:
1. An understanding of shortcomings and risks
At it’s most basic, a pen test will provide you with a description of any vulnerabilities that are discovered in any of the assets that are included within the scope of the assessment. Where appropriate, we will refer to vulnerability descriptions such as (where relevant) vulnerabilities described in the OWASP Top Ten guidelines and we will assign a severity rating to vulnerabilities using the Common Vulnerability Scoring System (CVSS v3.1).
A list of problems is not really useful however, so the next component of a pen test is a risk assessment that will present the level of risk that reflects the likelihood and consequence of a compromise arising from the successful exploitation of the discovered vulnerabilities. A qualitative risk assessment will be completed, and the assessment will be consistent with relevant AS/NZ, and ISO/IEC Risk Assessment and Management standards and security guidelines.
2. A prioritised, risk-based, practical plan for improvement
The most important part of a pen test is a prioritised list of recommendations, describing how each of the identified risks may be reduced to an acceptable level. Any existing risk-mitigation mechanisms or procedures will be taken into account at this time.
dotSec has been implementing and maintaining secure systems including secure hosted services for federal government, cryptographic systems for APRA, and Identity and Access Management systems for utilities companies, for over 25 years. We know what it takes to build secure systems so our pen test reports are not just a jumble of holes-in-glass-houses findings; they provide you with a prioritised and practical path to address the risks associated shortcomings we discover.
3. Assistance with compliance
A pen test is almost always included as part of a maturity assessment, and most information security frameworks and standards require some kind of testing program:
- The PCI DSS requires that testing be conducted on a regular basis and following any significant system changes.
- CPS 243 requires a systematic testing program.
- ISO 27001 notes that Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.
But whether compliance requirements are relevant or not, a penetration test may be undertaken as a stand-alone piece of work, so that you (or the target/resource owner) understand the level of risk, so that can therefore prioritise your risk management programs of work.
How does dotsec run a pen test?
The aim of a penetration test is to allow DotSec to detect, understand, exploit and report on vulnerabilities in the target asset(s), and report on those together with the associated level of risk and recommendations for improvement. There are a number of possible approaches which can be used:
Uninformed or black-box testing
DotSec’s assessor will conduct a “black-box” test, taking the role of an uninformed attacker who does not have an account or privileges on the target asset(s). This allows an assessor to understand if/how an uninformed and unprivileged attacker could discover and exploit vulnerabilities in the target asset(s).
Grey-box testing
DotSec’s assessor will conduct a “grey-box” test, where “grey” indicates that some, limited information has been provided to the assessor. For example:
- The assessor can take on the role of an attacker who can (or has) registered for an on-line account and can access those parts of the target site which require authentication, but without detailed knowledge of design of the target site(s). This allows the assessor to understand how an attacker could use and/or escalate their limited privileges and capabilities to damage or misuse the target asset(s).
- The assessor has been provided with non-trivial design information, but without authentication credentials and/or privileges. This allows the assessor to take on the role of an attacker who has some incomplete level of insider knowledge and who can therefore proceed to attack the target of assessment without first having to conduct a detailed reconnaissance.
Informed or white-box testing
During a “white-box” test, the customer will provide DotSec’s assessor with insider knowledge of the target(s), allowing the assessor to provide the best coverage of the target asset(s) within the allowed assessment time, and thereby most effectively identifying and exploiting vulnerabilities that might not otherwise be discovered in a black or grey-box assessment.
For example:
- The assessor may be provided with complete source code for a web-application front-end and/or API endpoint(s). This would give the assessor complete knowledge of parameter names and values that the target will accept. Note that in this scenario, DotSec and the client would need to agree as to whether or not a review of the actual source code should be completed as part of the assessment.
- The assessor may be granted admin privileges to a web application that would allow the assessor to create additional, arbitrary users of any privilege level. This will in turn allow the assessor to identify functionality which may be unavailable to users of lower privilege. The aim of this arrangement is to give the assessors complete knowledge of how the application appears to all roles, thereby allowing the assessor to uncover vulnerabilities which may otherwise remain hidden. Note that in this testing scenario, DotSec and the client would need to agree as to whether or not the assessment should include a review of the super-admin functionality itself.
Internal, external or both?
In the world of cloud and mesh VPNs, there is sometimes less distinction between what is “inside” and what is “out” but in general, most businesses still have head-office and branch networks so the location of the assessor in relation to the target of assessment can be important.
For example, a pen test can be conducted as:
- As an external test, where the assessor takes on the role of an attacker that is situated on an external, publicly accessible part of the Internet. In this scenario, the assessor sees only Internet-accessible interfaces and components of the target asset(s) such as web-service APIs, open firewall ports and remote-access end points.
- As an internal test, where the assessor takes on the role of an attacker who has breached the defences of the target-asset owner, or who has compromised (for example, through a social-engineering or “phishing” attack) an account on the asset-owner’s network or system. In this scenario, the assessor is able to better determine how an attacker could escalate and extend their capabilities, given a toe-hold into the target asset.
- Both external and internal tests. In this “best of both worlds” approach, the assessor can provide a holistic understanding of the vulnerabilities that are detectable and exploitable from both an internal and Internet-facing (external) perspective.