www.tbgsecurity.com 1

PENETRATION TESTING GUIDE

www.tbgsecurity.com 2

TableofContents

Whatisapenetrationtest?.............................................................................................................................................................................3

Whatisthedifferencebetween“EthicalHacking”andothertypesofhackersandtestingI’veheardabout?...........................................3

Howdoesapenetrationtestdifferfromanautomatedvulnerabilityscan?.................................................................................................3

Whatarethegoalsofapenetrationtest?......................................................................................................................................................3

Whyshouldwehaveapenetrationtestperformed?.....................................................................................................................................3

Whatshouldweexpectfromthepenetrationtestingprocess?....................................................................................................................4

Istestingdisruptivetoourenvironment?Willoursystemsgodown?..........................................................................................................4

Howoftenshouldwedoapenetrationtest?.................................................................................................................................................4

Howisthescopedefinedforapenetrationtest?..........................................................................................................................................4

Whatqualificationsshouldthepenetrationtestingteampossess?..............................................................................................................5

WhatdocumentationshouldIexpecttoreceivewhenthetestingiscomplete?.........................................................................................5

Howdoweprepareforapenetrationtest?...................................................................................................................................................5

Wehaveourwebsitehostedwithathirdparty.Shouldwetestit?..............................................................................................................5

Shouldwefixallofthevulnerabilitiesthatarereported?.............................................................................................................................5

Whataretypicalcostsforapenetrationtest?...............................................................................................................................................6

Howmuchtimeisneededtoperformatypicalpenetrationtest?................................................................................................................6

Canwedoourownpenetrationtesting?.......................................................................................................................................................6

Mycustomerwantstoseetheresultsofourpenetrationtest.ShouldIsharetheresultswithoutsideparties?......................................7

Whatarethedifferentkindsofpenetrationtests?........................................................................................................................................7

www.tbgsecurity.com 3

Whatisapenetrationtest?A penetration test is a study of the effect of vulnerability against a target or targets. The targets can consist of systems, networks, applications or people or any combination of these. During a penetration test, we assume the identity of an attacker and attempt to gain unauthorized access, and through a series of attacks, expand our influence over our target of evaluation. A penetration test measures the effectiveness of security controls while being flexible enough to adapt as obstacles present themselves.

Whatisthedifferencebetween“EthicalHacking”andothertypesofhackersandtestingI’veheardabout?The terms Ethical Hacking and Penetration Testing are synonymous. Each refer to a sanctioned assessment of security controls through an active attempt to subvert said controls. Ethical Hackers are skilled in the same disciplines that actual cyber hackers (criminals) are skilled in. By leveraging this unique skill set it is possible to get a “hackers eye view” of your environment.

Howdoesapenetrationtestdifferfromanautomatedvulnerabilityscan?The main difference between vulnerability scans and penetration tests is that penetration tests are adaptive, contextual and multi-dimensional in approach where vulnerability scans are far less aware and non-adaptive. But where vulnerability scans lack in the way of context, they make up for in the form of comprehensiveness. If vulnerability scan data were available to a penetration test, this information could surely provide valuable intelligence that then could be used in more sophisticated attacks that would not be possible if a vulnerability scan were used alone. Both solutions are necessary for a truly mature approach.

Whatarethegoalsofapenetrationtest?The goals of a penetration test are not set in stone, but are instead determined on a case-by-case basis. The penetration tester will meet with the client before the onset of an engagement to gage the client’s goals. At the most rudimentary level the goal is to gain access to some network, system or application, in a manner that is covert and ultimately proves a

genuine risk to a loss of confidentiality or integrity of sensitive data. If no specific goals are set we will typically attempt to get in and escalate our influence to that of a Domain Admin (assuming the environment is a Microsoft Active Directory environment).

Whyshouldwehaveapenetrationtestperformed?The information security threat landscape is ever evolving, and simple passive methods of protection can not possibly keep up with new and existing threats. A vulnerability scan is very good at finding known flaws, and anti-virus / anti-malware detection is likewise good at finding known threats, but modern day threat actors are very good at exploiting what is not known. Despite an organization's best efforts to implement security controls, those controls are only as good as the sum of all of their parts, and it's just as easy to mis-configurable any one of these parts as it is to properly configure it. The penetration test, in a sense, is looking for that proverbial needle in the haystack. We seek to find the 1 or 2 issues within the larger interconnected web of controls, and see where each successful execution will lead. A successful security program is a combination of controls.

www.tbgsecurity.com 4

Those mis-configurations are out there, and what the professional penetration test will tell you is how well the entire security program, with all of its controls, is situated to detect and detain these threats when they appear.

Whatshouldweexpectfromthepenetrationtestingprocess?A penetration test is an uncontrolledprocessinthatthepenetrationtesterstypically do not plan to interact verymuch with the target in a controlledway. Most tasks are subversive andcovert in nature, and therefore mustremainasuncontrolledaspossible. Ifthe penetration test target is aninternalnetwork,thenastagedsystem(adropbox) istypicallydeployed. Thistoocanbedoneinacovertmanneraspart of a physical penetration test, orcouldbeplacedonthenetworkaheadof the initiation of the test by thecustomer.Testingwillcommence,andonce all testing activities arecompleted, reports will be generatedanddelivered to thecustomer. Therewill typically be a debriefing and achance for customer comments. Anychanges to the draft reports will bemade and delivered. Sometimes

penetration testers will be asked tovalidatecorrectiveactionmeasuresandsometimes a customer mightcommission a full retest after a fullmitigationplanhasbeenexecuted.

Istestingdisruptivetoourenvironment?Willoursystemsgodown?Becausepenetrationtestingislargelyamanualprocess,thepenetrationtesterhas fullcontrolofwhat isdonewithinthetargetofevaluation.Itisgenerallynotveryusefultoapenetrationtesterto introduce a denial of serviceconditionsinceoneoftheprimarygoalsof a penetration test is to be covert.Thepenetrationtestaloneisextremelyunlikely to cause any servicedisruptionsunlessthatissomethingtheclientdecidestoincludeaspartofthetestingparameters(whichisextremelyrare).

Howoftenshouldwedoapenetrationtest?Network and Application penetrationtests are often performed minimallyonce every year. Certain information

securitystandardscallforittobedonemoreoftenwhenmajorchangesoccurwithin the network, when applicationupgradesoccurorwheninfrastructureor architecture changes significantly(see PCI requirement 11.3).Additionally, many of our customersrequireanynewlyacquiredsoftwarebetested before being put intoproduction. This includescloudbasedSaaSandPaaSmodelapplications.Thisisaveryimportantpointsincemuchofour sensitive data is moving into the“thecloud”. Thismovemightremovesome responsibility, but it does notautomaticallyremovethethreatstotheasset, and might even introduce newthreats.

Howisthescopedefinedforapenetrationtest?Scopeismutuallyagreeduponbetweenthe client and the penetration testerand can vary significantly in sizeanywhere between 1 system to 1networkoranumberofnetworks.Thescopewill be contingent on the goalstheclientissetforthepenetrationtest.

www.tbgsecurity.com 5

Whatqualificationsshouldthepenetrationtestingteampossess?Penetration testing teams shouldcontain multiple disciplines but mostcommonly a strong networking andprogram focus is necessary to achievethe desired results. Much of whatseparatesagoodpenetrationtestfroma mediocre one is mindset. Apenetration tester has a uniqueperspectivewhenpresentedwithasetoffacts.Mostpeopleseewhatismeanttobeseenwhilethepenetrationtesteriscapableofseeingwhat is there,buthidden.Sincethesesoft-skillsarehardtoquantify it isnecessaryto interviewthepenetrationtestertogainafeelforthe breadth of his/her experience.Check their resume and theirreferencesbeforeyoubuy.

WhatdocumentationshouldIexpecttoreceivewhenthetestingiscomplete?At a minimum the penetration testershoulddeliveranexecutivesummaryoffindingswhichincludesanoverviewofwhatwasaccomplishedandwhatifanymajor issues were uncovered. Thisshould be followed by a detailed

summary report that outlines eachissueuncovered,anassessmentofriskfor each issue with some contextexplaining how the risk rating waschosen and with recommendedcorrective actions clearly outlined. Afull walkthrough of the penetrationexercise should be included whererelevant.Oftentimesadditionalreportsmightalsobedeliveredtosupportthefindings in the summary reports. Forinstance, it is common to runvulnerabilityscansduringapenetrationtest, and those scan reportsmight bedeliveredunderseparatecover.

Howdoweprepareforapenetrationtest?HowMuchorhowlittleyouprepareforapenetrationtestwillagaindependonthe goals and scope defined for aspecific test.We typically recommendthat you use the penetration test tovalidate your incident preparednessandthereforethelessyoupreparethebetter. That said, there are certainlysome tests that call for a greateramountofpreparation.Forinstanceifthe target is a web application, therewillbeaneedtoprovisionaccountsand

it probably makes sense to provide ademonstration of the functionality oftheapplication.

Wehaveourwebsitehostedwithathirdparty.Shouldwetestit?Unequivocally Yes! The fact that theweb site is hosted at a third partymeansthattherearepotentialthreatsoutside of your control. What if anattacker could access the web servermanagement interface? Withoutquestion you should test your hostedapplications.

Shouldwefixallofthevulnerabilitiesthatarereported?All vulnerabilities should be“addressed”. For any identified issuetherewillbeadegreeofriskassociatedwiththefinding.Weattempttoapplyas much relevant context to eachfinding, and certainly high-risk issuesshould be addressed in an expedientmanner. Sometimes therearea largenumber of findings, particularly whenautomated vulnerability scans are runas part of the penetration test. Onceyou receive all of your reports, a

www.tbgsecurity.com 6

mitigationplanshouldbeputinplace,andeachofthereportedvulnerabilitiesshouldbeaddressedaspartoftheplan.For any vulnerability there are only 5possiblewaystoaddresstheissue:(1)Applyavendorpatch,(2)reconfigureapieceofsoftware,(3)turntheaffectedservice or server off, (4) apply amitigatingcontrol(suchasafirewall)toreduce risk or (5) simply choose toaccept the risk (which in some casesmight be a perfectly reasonableoption).

Whataretypicalcostsforapenetrationtest?Thecost forpenetrationtestingvariesgreatly. Anumberof factorsareusedtodeterminepricingincluding,butnotlimitedtothescopeoftheproject,thesizeoftheenvironment,thequantityofsystems,andthe frequencyof testing.It is critical tohaveadetailed scopingmeeting to produce a very clearunderstanding of the needs, anddevelop a statement ofworkprior toengaging any penetration test.Ideallya penetration test should beperformed on axed-fee basis toeliminate any unexpectedcosts or

unplanned expenditures. Thequotedfeeshouldincludealllaborandrequired testingtools. Statements ofwork that only provideestimates ofthe work effort should not beentertained.

Howmuchtimeisneededtoperformatypicalpenetrationtest?Adequate time should be reservedinadvance of testing for planningactivities. Additional time should beallocated aftertesting for reportdevelopment and subsequent reviewmeetings includingremediationdiscussions. The entireeffortvariesgreatlybasedonthesizeandcomplexityofthepenetrationtest.The larger or more complex theenvironment is, the more effort isrequired.The duration of the test,however, is verycontrollable. Theduration of the test should becompressed to ensure a good,representativeview of theenvironment at a givenpoint intime.Generallyspeaking,twotofourweeks

is a goodestimate for thedurationofthe entire engagement from planningthroughdelivery.

Canwedoourownpenetrationtesting?Typically,no,butit’snotinconceivable.Many large organizations like majorbanksandthegovernmentagenciesdotheir own internal penetration testing(often calledRedTeam testingorRedTeam / Blue Team testing), but theseorganizations typically haveinformationsecuritybudgets inexcessof $1,000,000, and even theseorganizationswill oftenaugment theirstaffwith3rdpartyteststogainafreshperspective from time to time. Thedecision to insource or outsource thepenetration test function typicallycomes down to if you have qualifiedindividualsonstafftoperformthetest.Most professional penetration testershave a burden on them to remaincurrentwithmodernattacktechniquesand this typically will requirepenetrationtestingtobeafulltimejob,so to successfully conduct insourcedpenetration tests it is usually best tohavededicatedstaffwhoseonly job isoffensivesecurity.

www.tbgsecurity.com 7

Mycustomerwantstoseetheresultsofourpenetrationtest.ShouldIsharetheresultswithoutsideparties?The penetration test can be a verypowerfulmarketingtool.Itshowsyoursense of due diligence, and can oftenhelp ease concerns your customersmighthaveaboutcybersecurity.Inthisday and age there is a heightenedawareness of cyber threats in thepublic. Hardlyadaygoesby thatyoudon’t read about some high-profilenews story that involved somesortofcybercrime.Itultimatelyisabusinessdecisionastowhetheryoudisclosetheresultsofapenetrationtest,butifyoudo decide to provide a copy of thepenetration test findings, thepenetrationtestingfirmshouldprovideanexecutivesummarythat’shigh-levelenough to be presented to interested3rd parties without disclosing anysensitiveinformation.

Whatarethedifferentkindsofpenetrationtests?There are several different flavors ofpenetration tests and each addressdifferentthreats.

ExternalNetworkPenetrationTestExternalnetworkpenetrationtestsarefocused on the exposed networkperimeter. This is typically the bestdefendedas it isexposed toeveryoneontheInternet.Aweaknessherecouldexposethe internalnetworktoattack.Perimeter networks must be fullyprotectedatalltimesastheyareunderconstant pressure from adversaries.The goal of the external networkpenetration test is typically to gain afoothold inside the DMZ or corporatenetwork or to find some method ofexfiltrating data via the exposedservicesavailablefromtheInternet.InternalNetworkPenetrationTestTheInternalpenetrationtestisfocusedonsimulatingwhatriskaroguesystemwould pose to the enterprise. Thissimulation would typically employ adropbox (unsanctionedcomputerwithlots of tools on it) but would also beabletosimulatethepotentialexposuretoasophisticatedpieceofmalwareoranadvancedpersistentthreat.Thegoaloftheinternalpenetrationtestistofindweaknessesatthenetworkorhostlevelthatwillallowthepenetrationtestertoestablish a command and control and

to ultimately gain full administrativerights over the networks and systemsonthenetwork.ApplicationPenetrationTestApplication penetration tests look atthecontrolsofanapplication(typicallyawebapplication)thathousessensitiveinformation. When testing anapplication the penetration testerwillwant to assess the way theauthentication and authorization ishandled. The penetration tester willalsobefocusedonhowtheapplicationmaintains session management andtenantsegregation.Logicflawswillbeidentified and tested along withcommonwebbasedattackvectorssuchas injectionflawsandbufferoverruns.Finally,areviewofthewebserveritselfwill typically be includedwith specificemphasis on attacks against anycontent management software thatmight be exposed. Testing webapplications will typically require 2 ormore sets of credentials and carefulcoordination with applicationcustodians before and sometimesduringthetest.

www.tbgsecurity.com 8

PhysicalPenetrationTestDuring a physical penetration test thepenetrationtesterwillattempttogainunauthorizedaccesstoanofficespacewith the goal of testing physicalcontrols such as doors, windows,security personnel and physicalnetwork connections. The ultimategoal of physical test is to install somedevice that can then be accessedexternally and be used to initiatenetworkandsystemattacksagainsttheinternal network; basically, the goal istoplacethedropboxthatcanthenbeused to conduct the internal networkpenetrationtest.SocialEngineeringTestASocialEngineeringtestisanattemptto attack the weakest link in the theinformationsecurityprogram:theuser.Duringasocialengineeringtestseveralmethods could be deployed to eithergain the trust of a user, or to simplytrick them into doing something theyshouldneverdo.Thesocialengineeringtest is really a test of the corporatesecurity awareness initiative. Somevectors of attack include: phishingemails, spare phishing emails, emailspoofing, phone calls, and USB drops.

The goal of a social engineeringcampaign is typically to trick one ormore users into relinquishing theircredentials or to getting them to clickandinstallmalware.NOTE:malwareistypicallynotinstalled,andinsteadclickthroughratesaremonitored.

OURTEAMOFETHICALHACKERSWILLSHOWYOUWHEREYOUR

VULNERABILITIESAREWHETHERIT’SATTHENETWORKORAPPLICATIONLAYER.OURTEAMHASYEARSOF

EXPERIENCESUCCESSFULLYHACKINGTHEMOSTCOMPLEXSYSTEMSAND

NETWORKS.