Penetration Testing is more important than ever
New vulnerabilities are discovered at an astonishing rate. Attackers analyze the weaknesses to determine if the exploit code can be developed. Once the exploit code has been established, the launch pad is ready to attack susceptible targets. Organizations that do not continually scan for and repair or remediate vulnerabilities face a growing risk of being the next compromised victim.
Today’s cyber attackers are more advanced than at any time in modern history. With the growth of world-wide hacking groups and state-sponsored attacks, no industry sector is immune from attack. It is more important than ever to remain vigilant and to ensure vulnerability management and penetration testing resources are included in your overall risk management plans and execution.
Why should my business get a penetration test?
Most environments are designed, built, and maintained by employees that have little to no professional experience in security. A penetration test is performed by a security expert trained to identify and document issues that are present in an environment. The resulting report can allow you to remediate the problems before a real attacker has exploited them.
The PCI DSS also requires that businesses test security controls annually and perform segmentation checks every six months. Subsequent assessments on these controls should also be done after any significant change has been made.
Penetration testing usually involves five phases:
- Planning and data gathering—Define the goals of penetration testing. Which systems will be included? What testing methods will be used? Gather data on the attack target, which may consist of the network or domain name, for example.
- Scanning—Tools are used to gather more data and information on the target. Examples include a vulnerability scanner and DAST tools, which are discussed in more detail in the next section.
- Gaining access—Web application attacks such as Cross-Site Scripting or SQL Injection are launched to expose vulnerabilities. Pen testers try to present these vulnerabilities by stealing data or increasing permissions. The goal is to understand how much damage can be done.
- Maintaining access—Determine if the exposed vulnerability can be used to achieve a persistent presence in the application. In other words, can the attacker get deep within the web app, accessing sensitive data and causing more harm?
- Covering tracks—The attacker takes care to remain undetected. Changes made to the system must be returned to a state that will not raise a red flag.
How are penetration tests performed?
Three steps can define a penetration test:
Unlike a real attacker, penetration testers have a set number of hours used to test a given environment. Because of this, you, as the customer, must make a decision – where do you want the majority of the analyst’s time spent: Research or Testing/Exploitation? (The time spent on documentation is static regardless of testing circumstances.) You have the most control over the accuracy and amount of information the analyst is given before the assessment, both of which will dramatically affect the time needed for research.
Penetration testing methods
- External testing – External penetration tests target the assets of a company that are visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data.
- Internal testing – In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This test isn’t necessarily mimicking a rogue employee. A standard starting scenario can be an employee whose credentials were stolen due to a phishing attack.
- Blind testing – In a blind test, a tester is only given the name of the enterprise that’s being targeted. This test gives security personnel a real-time look into how an actual application assault would take place.
- Double-blind testing – In a double-blind test, security personnel has no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defenses before an attempted breach.
- Targeted testing – In this scenario, both the tester and security personnel work together and keep each other apprised of their movements. This test is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
Penetration testing and web application firewalls
Penetration testing and web application firewall (WAF) are exclusive, yet mutually beneficial security measures.
For many kinds of penetration testing (except for blind and double-blind tests), the tester is likely to use WAF data, such as logs, to locate and exploit an application’s weak spots.
In turn, WAF administrators can benefit from penetration testing data. After a test is completed, WAF configurations can be updated to secure against the weak spots discovered in the analysis.
Finally, penetration testing satisfies some of the compliance requirements for security auditing procedures, including PCI DSS and SOC 2.
The number one threat to infrastructures today is known vulnerabilities and leveraging the power of Lazarus Alliance Cybervisors today, your organization will stop looking like low-lying fruit to cybercriminals.
The Cyber Security experts at Lazarus Alliance are completely committed to you and your business’ success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.