Back to Top

Penetration Testing

Penetration testing is an effective means to measure the effectiveness of security controls that have been designed into a variety of test targets including infrastructure, applications and more bespoke technologies such as wireless and voice over IP communications.

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (those who do not have an authorised access to the companies infrastructure) or insiders (those who have some level of access). The process involves analysis of systems for potential vulnerabilities that could result from poor or incorrect system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and often involves active exploitation of security vulnerabilities.

Security issues uncovered through the penetration test are then collated and presented. The test also couples this information with an accurate assessment of the potential impacts to the company and outlines a range of technical and procedural countermeasures that can reduce risks.

Penetration tests are valuable for several reasons:

  1. Determining whether a perceived threat is applicable;
  2. Understanding whether it is possible to use a number of vulnerabilities and weaknesses across a network estate to affect an actual compromise;
  3. Identifying whether any weaknesses originating from human errors in configuration could be used to compromise a target;
  4. Assessing the magnitude of potential business and operational impacts of successful attacks;
  5. Testing the ability of network defenders to successfully detect and respond to the attacks;
  6. Providing evidence to support increased investments in security personnel and technology.

Following a penetration test, a report is produced that outlines any areas of technical and procedural weakness that could be used to compromise the security controls in place, alongside its potential impact.

The expected return on investment from commissioning a penetration test is the controlled identification of vulnerabilities and weaknesses in a system or network environment prior to compromise by a real threat. The engagement can avoid future reputational impact to the organisation in addition to potential issues with regulatory compliance (for example, the Payment Card Industry or Financial Services requirements).

A penetration test, subjects a system or a range of systems to real life security tests. The benefit of a penetration test in comparison to an automated vulnerability scan is that it reaches far beyond the depth of analysis provided by said vulnerability assessment. It allows an organisation to discover different weaknesses and perform a much more detailed examination.

Penetration Testing Process: -

  • Intelligence Gathering - Digital Assurance performs Open Source Intelligence gathering to determine various entry points into an organisation. These entry points can be physical, electronic, and/or human. Many companies fail to take into account information pertaining to themselves that they place in public, and how this information can be used by a determined attacker. Moreover, many employees fail to take into account how posted information can be used to attack their employer.
  • Threat Modelling and Enumeration
  • Vulnerability Identification is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws could include host and service misconfiguration, or an insecure application design. Although the process used to look for flaws varies and is highly dependent on the particular component being tested, key principals apply to the process.
  • Exploitation focuses solely on establishing access to a system or resource by bypassing security restrictions. If the prior phase, vulnerability analysis, was performed successfully, this phase should be well planned to minimise any risk to the test platform and to maximise the likelihood of success. The primary focus is to identify the main entry points into the infrastructure and to identify high value target assets. If the vulnerability analysis phase was successful, a high value target list would have been compiled. Ultimately, the attack vector should take into consideration the success probability and highest impact on the company.
  • Post-Exploitation determines the value of the machine compromised and the ability to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. This phase helps to identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and set up one or more methods of accessing the machine at a later time.