While going through the threats and vulnerabilities its worthwhile to write up a post on process and methods by which a vulnerability is identified and remediated. This is a second of many writing about the penetration testing discusses mainly on pen testing types and domains
Penetration testing Types
Depending on the goals, the organization provides the testers varying degrees of information about, or access to, the target system. In some cases, the pen testing team sets one approach at the start and sticks with it. Other times, the testing team evolves their strategy as their awareness of the system increases during the pen test. There are three types of testing followed industry wide for network
The team doesn’t know anything about the internal structure of the target system. They act as hackers would, probing for any externally exploitable weaknesses.
The team has some knowledge of one or more sets of credentials. They also know about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.
For white box testing, pen testers have access to systems and system artifacts: source code, binaries, containers, and sometimes even the servers running the system. White box approaches provide the highest level of assurance in the least amount of time.
Penetration testing platforms
Tests conducted on Web platforms enable to search for vulnerabilities related to Web server configuration and to the application layer. Server-side issues include open and insecure services, not updated software, or configuration errors. For applications, it involves vulnerabilities listed by OWASP (including the Top 10), as well as logical vulnerabilities related to workflow implementation, and those related to new discoveries about the technologies used by developers.
Tests performed on mobile applications (excluding mobile APIs and servers) include static and dynamic analysis of the applications. Static analysis consists in extracting elements (meta-information and source code) to perform reverse engineering operations. Dynamic analysis consists in looking for vulnerabilities in the application while it is running on a device (runtime), for example to bypass controls or extract data from the RAM. Common vulnerabilities in mobile applications are listed by OWASP (including the Mobile Top 10).
Connected Devices – IoT
Tests on connected devices search for security flaws in the object’s entire ecosystem: hardware, embedded software, communication protocols, servers, Web and mobile applications. Tests on hardware, firmware and communication protocols are specific to the object itself, e.g. data dump via electronic components, firmware analysis, signal capture and analysis
Infrastructure and Network
Tests performed on an external infrastructure consist in scanning the company’s public IPs as well as the services exposed online, to identify flaws related to service configuration and operating system architecture. Tests on an internal corporate network involves mapping the network to look for vulnerabilities on workstations, servers, routers, proxies, and other network devices.
- Firewall config testing.
- Stateful analysis testing.
- Firewall bypass testing.
- IPS deception.
- DNS level attacks which include.
- Zone transfer testing.
- Switching or routing based testing.
- SSH client/server tests.
- Network databases like MYSQL/SQL Server.
- Exchange or SMTP mail servers.
- FTP client/server tests.
- Protocols used in Wireless technology
- Access points for Wireless connectivity
The goal of these tests is to pinpoint security threats that emerge locally. For example, there could be a flaw in a software application running on the user’s workstation which a hacker can easily exploit. These may be programs or applications like Putty, Git clients, Sniffers, browsers (Chrome, Firefox, Safari, IE, Opera), and even presentation as well as content creation packages like MS Power Point, Adobe Page Maker, Photoshop, and media players. In addition to third-party software, threats could be home grown. Using uncertified OSS (open source software) to create or extend home grown application could cause severe threats that one can’t even anticipate. Therefore, these locally developed tools should also pass through the penetration test cycle.
Testing the “human factor” of the company enables to assess the reflexes of a company’s staff when facing phishing attempts, telephone attacks and physical intrusion. Techniques used are for example sending phishing and spear phishing emails, using clones of interfaces and malware, collecting sensitive information through phone calls, and malicious USB devices.
- Remote Tests.
It intends to trick an engineer (employee) to compromise confidential data using electronic means. The tester could conduct such an attack via a phishing email campaign.
- Physical Tests.
This type of test requires direct contact with the subject to retrieve the sensitive information. It might involve human handling tactics like Dumpster Diving, Imitation, Intimidation or convince the subject via phone calls.
We will discuss on standards and various tools on future posts