During penetration testing (known as pentesting), auditors act like external attackers would: they try to bypass protection measures and break into a company’s network. They detect hidden system flaws and evaluate the potential impact on operations if those flaws were exploited by real attackers. In addition to a thorough technical analysis of the customer’s security tools, the assessment may also evaluate the level of IT security awareness among company staff.
The experts at Positive Technologies have conducted hundreds of penetration tests on a wide range of systems for clients ranging from banks and telecom companies to utilities and government agencies. Typical penetration testing activities carried out by our team include:
- Attempting to hack the web interface of an e-banking system prior to full-scale deployment
- Employing social engineering to test staff awareness following a security training program
- Trying to gain unauthorized access to an internal corporate network by targeting vulnerabilities such as default system settings, misconfigurations, or weak passwords
External vs Internal Penetration Testing
Penetration testing can be conducted with or without the knowledge of key information security personnel, such as system and network administrators. Performing a simulated attack without warning these employees will give senior management a true picture of the effectiveness of their existing security measures. However, if server and network equipment has been poorly configured or security teams respond badly to the simulated attack, this kind of "unannounced" testing could cause disruption to normal network operations.
For this reason, penetration tests are often subdivided into external and internal stages. First, our experts try to hack the perimeter, for example, by installing malware on workstations. If this external stage is successful, then they will coordinate with system administrators before beginning an assessment of measures to counteract an internal attack.
Technical Penetration Testing
A technical penetration test identifies existing vulnerabilities in your IT infrastructure and provides practical evidence of whether they can be exploited. The following are typical steps performed by Positive Technologies experts during this testing:
- Gather information about your network using the same sources of information available to attackers (Internet, news, conferences)
- Map your network and determine the types of devices, operating systems, and applications by their reaction to an external stimulus
- Identify vulnerabilities in your network services and applications
- Analyze web-client applications to detect vulnerabilities using automated tools and manual methods including SQL injection, cross-site scripting, content spoofing, OS commanding, incorrect configuration authentication, authorization mechanisms, etc.
- Attempt to exploit found vulnerabilities using relevant methods and tools
- With permission, attempt to gain security control of wireless networks
- With permission, check the safety of the outer perimeter and open resources against attacks such as denial of service
- Assess the degree of security of network elements and possible damage during the most intrusive attack scenarios
- Check the strength of the network against attacks on the link layer; perform simulated attacks on the STP, VTP, CDP, and ARP link-layer protocols
- Analyze network traffic to obtain sensitive information (passwords, confidential data, etc.)
- Check stability of routing; model and rig routes for Denial of Service attacks against the routing protocol
- Verify ability to gain unauthorized access to confidential information
- Verify ability to access permissions to various information resources with the privileges obtained at various stages of testing
Sociotechnical Penetration Testing
In many networks, ordinary users are the weakest link. Attackers who can manipulate your employees may be able to gain control of workstations from which they might access confidential documents, data, or customer accounts; post malicious content on your websites; conduct spam or phishing activities using your customer contacts; use your network resources to launch attacks on other companies’ systems or restrict your ability to do everyday business.
Positive Technologies can use social engineering techniques to identify your staff’s level of security awareness and gauge their reactions to hacking techniques such as phishing and pharming. As well as identifying areas of security that need immediate attention at your organization, this service can be especially useful for testing the effectiveness of recent awareness training. Our testing is typically targeted at selected user groups, with different test scenarios applied to different groups. These may include:
- Sending email/instant messages (IM) from anonymous users and employees of your company with links to web resources or containing executable code such as a request to change passwords, send passwords or personal information
- Conduct random inspections of "clean desk" policies (such as workstations left unlocked and unattended, sticky notes with passwords, and confidential documents in a work area available to unattended visitors)
A Comprehensive Approach
To truly act like external attackers, our testers combine the information gathered in both technical and sociotechnical penetration tests to demonstrate how hackers can piece together weaknesses to circumvent your existing security mechanisms, escalate network privileges, gain access to confidential information, modify your DBMS, or persuade users to sidestep compliance with existing security policies.
The key deliverable from our penetration testing services is a report detailing:
- Test methodology
- Weaknesses identified within your information security systems
- Explanations for all identified vulnerabilities
- Conclusions regarding the level of security awareness among users and overall network protection
- Descriptions of the main areas of concern, including information regarding the activities of users in each target group
- Recommendations to mitigate identified vulnerabilities