- Table of contents
The Ultimate Penetration Testing Checklist
Businesses today have become painfully aware of the importance of cybersecurity. Penetration testing (“PenTesting” for short), is a valuable tool that can test and identify the potential avenues that attackers could exploit vulnerabilities of your assets. Intelligence led pentesting help with prioritization, speed and effectiveness to prevent financial losses, protect brand reputation, and maintain customer confidence.
Six Colors of Penetration Testing
Each type of 6 penetration tests is signified by a color (though not as colorful as the rainbow) and comes with its own advantages and disadvantages. Organizations may choose to have only one type of penetration test performed, while others may decide to have several types performed for a more comprehensive assessment of their security posture. The black, grey, and white box testing is used to test the cyber vulnerability of an infrastructure such as apps, cloud, and connected devices. Teams of testers are also defined by colors, and each color team provides a unique function to the testing of the cyber readiness of the organization.
When conducting a black box assessment, penetration testers have limited knowledge of the network. For example, they will know the hostname and IP of a public server, but not have information for the network infrastructure, operating systems, or security protections. In attempting to penetrate the network to discover as many vulnerabilities as they can find, this method imitates a ‘real world’ environment to find vulnerabilities using many of the same tools attackers would use.
In this scenario, the testers have more access and information about the environment such as admin rights and configuration files. This type of testing is less time consuming than black box testing, but doesn’t reveal how attackers can gain unauthorized access externally. It can, however, provide insight into vulnerabilities if an attacker has gained internal access and rights.
Gray box testing falls somewhere between black box and white box testing. The customer shares some limited information, such as a user login or an overview of the network. The scope and what information and access is provided all depends on the testing requirements of the customer. Grey box has the benefits of black box testing but can also do deeper testing where needed with additional information provided.
Red team members perform offensive security techniques based on specific objectives such as attempting to penetrate a database and extract sensitive records. The red team simulates an attacker and look for exploitable vulnerabilities.
The blue team is tasked with defending against attacks by the red team. They make use of logs, traffic captures, SIEM and threat intelligence data to detect and defend against red team attacks. The blue team is the internal security team of an organization and exercises with the red team are to improve the internal team’s defense and response to attacks.
The idea of the red team and blue team working together is a purple team. This type of engagement allows the blue team to gauge their detection and incident response capabilities against real-world-like threats.
So we can see here that an organization’s choice of testing really depends on what type of information they want to learn. But in addition to choosing penetration tests, you’ll also need to decide on the scope of the test and what type of systems should be included in the test.
So What can be Pentested?
Different areas of the network and systems can be pentested such as web, mobile, and cloud applications, or network and wireless infrastructure.
- Web Applications – When testing against a web application, the tester will map the site to understand the application and run tests against it such as open ports, check for any default or misconfigured settings. Testers will look for verbose error messages and scrutinize any login pages or online forms. Some of the vulnerabilities testers are looking for include SQL injections, cross-site scripting, encryption flaws, or XML and template injections.
- Mobile Applications – Similar to web application testing, mobile testing will include an OS assessment and application mapping. Penetration testers will analyze various factors such as file system, runtime, TCP and HTTP attacks. Possible vulnerabilities that can be revealed are insecure APIs, sensitive file artifacts, plain text traffic, and SQL injections.
- Infrastructure and Wireless – The objective of infrastructure and wireless pentest is to identify exploitable vulnerabilities in network devices, systems, and hosts. Penetration testers will want to identify protocols in use such as CDP, WEP, and SNMP. They will also look to discover network device models and what software versions are in use. Vulnerabilities most likely to be discovered include the use of weak or default passwords, missing patches, unnecessary open ports, and SNMP v1 or v2 still in use.
- Cloud Applications – Pentesting public cloud applications means you must notify the provider before beginning any testing and some restrictions as to what types of tests can be performed is common. Pentesting in the cloud can include applications, storage, virtualization, and compliance. So depending on what is in the scope of the test, testers could be checking items such as data access, virtual machine isolation, and regulation compliance. Results of the test could include encryption not compliant, virtual machines not properly isolated, API vulnerabilities, and weak passwords.
Penetration Testing Your Enterprise – Final Thoughts
Two things go without saying:
- The importance of having a strong security posture, requiring security to be tested to ensure it’s working as expected and that those entrusted with managing the security infrastructure are maintaining proper standards and procedures.
- Penetration testing conducted by a third party provides an impartial perspective of the organization’s cybersecurity posture, but they must be certified and experienced. The value of a 3rd party tester is one that can bring intelligence-led pentesting which provides the ability to already see the red team activities in a threat intelligence system and create automated workflows for the blue team activities. Pentesting activities and results will have more success with a holistic pentest environment that integrates with other platforms such as ArgosTM digital risk protection, rather than disjointed pentesting services.
Caroline Wong, co-author of the Pen Test Metrics Study, comments, “I see a lot of organizations do one application pen test a year because of PCI, or HIPAA, or a customer asking them for one. But more organizations are realizing to ‘do the right thing’ means more regular testing is needed in their secure development practices.”
Contact us for a consultation on what type of penetration testing is right for your enterprise.