Penetration testing involves attacks against IT systems or services with the goal of determining the actual impact of vulnerabilities when exploited.
G&R Cybersecurity can extend vulnerability assessments to include penetration testing and supports both black and white box approaches to testing. G&R follows clear operating procedures when performing penetration testing to ensure that the quality of the results meet the highest standards. The results include full documentation of any vulnerabilities discovered, methods for exploitation, and detailed information on vulnerability mitigation.
Focus: Linux Servers, Windows Servers, Web Applications, Mobile Applications, Active Directory environments
Who performs Penetration testing?
It’s best to have a pentest performed by someone with little-to-no prior knowledge of how the network is secured because they may be able to expose blind spots missed by the developers who built the system. For this reason, outside companies are usually brought in to perform the tests. These companies are referred to as cyber-security experts or ethical hackers since they are being hired to hack into a system with permission and for the purpose of increasing security.
Many ethical hackers are experienced developers with advanced degrees and a certification for pen testing. On the other hand, some of the best ethical hackers are self-taught. In fact, some are reformed criminal hackers who now use their expertise to help fix security flaws rather than exploit them.
Different types of Penetration testing?
- External pentest - In an external test, our ethical hackers go up against your company’s external-facing technology, such as your website, mail servers and external network servers. In some cases, the hacker may not even be allowed to enter the company’s building. This can mean conducting the attack from a remote location such as a hotel room or carrying out the test from a van parked nearby.
- Internal pentest - In an internal test, our ethical hackers perform the attacks from your company’s internal network. This kind of test is useful in determining how much damage a disgruntled employee can cause from behind the company’s firewall. Or what kind of damage can be caused by a hacker if he is already inside your organization’s internal network.
- Black Box Testing - Also known as “Closed-box pentest”, is where the hacker is given no background information besides the name and address of the target company and an objective.
- White Box Testing - In an open-box test, our cybersecurity experts will be provided with information ahead of time regarding the target company’s security infrastructure.
Penetration testing can be broken down into the following 7 steps:
- Information Gathering
- Threat modelling
- Vulnerability Analysis
- Post Exploitation
During this first stage of the engagement, we will establish a common understanding and agreement with the client about the objectives of the engagement. This will include, among other things, the scope of the pentest, time and budget estimations, communication channels and the rules of engagement. It is also at this point that we will gather all the tools, operating systems and software we will need to run the pentest. The tools we choose will depend on the type and depth of engagement that the client has chosen.
Information gathering also known as “OSINT” is the first stage of the actual engagement in the pentesting methodology. It is here where we carry out reconnaissance against the target in order to produce a highly effective plan of attack. We will gather any relevant information about your organization or its staff that can help us gain access into the system. We will combine automated and manual analysis to get additional information about the business like physical location, business relationships, organization flow charts etc.
During the threat modelling stage of our penetration testing methodology, we use the information we have gathered in the previous stage to formulate various attack vectors. By analysing the information gathered before, we’ll be able to assess the targets in the organization for a vulnerability assessment. While assessing the possible vulnerabilities, we are always scouting for possible security loopholes in systems, designs and policies. With effective thread modelling, we’ll be able to simulate a more realistic attack on the target.
Vulnerability analysis is where we analyse the results from the vulnerability assessment we ran in the previous stage. We’ll first begin by discovering the vulnerabilities from the reports generated by the assessment tools previously used. After which we’ll start to examine the vulnerabilities according to their threat level to see which ones are worth paying attention to. This will help us to avoid wasting time on vulnerabilities that have low impact on the target network infrastructure. By using manual methods, we’ll be able to validate false positives and create an attack tree. It is from these vulnerabilities that we’ll proceed to prove if they are actually exploitable by carrying out a real attack at the next stage.
After we have created a list of high risk vulnerabilities, we’ll then go ahead and launch real attacks to see if they are exploitable. We use various automated frameworks and tools, that have been developed by us or which are open-source, for exploiting systems and breaching their security. Our main goal is to establish access to the target system or resource by bypassing various security mechanisms in order to prove access to the assets which were agreed upon in the first stage of the engagement.
After exploiting the vulnerabilities we found and identifying the assets in danger, we analyse the results. At this point, we’ll determine the value of the machine compromised, and it’s probability to be used to compromise the network further. We’ll assess its value based on the sensitivity of the data stored on it and how this breach can impact your organization or business. We will identify and document sensitive data, configuration settings, communication channels and relationships with other devices that can be used to gain further access to the network.
Reporting is the final stage of our penetration testing methodology. At this stage of the assessment, we’ll focus on how to report the findings in a way that is understood by the client. The report will detail the security flaws that enable a threat actor to compromise the system, as well as various methods of remediation. Our final report will focus on business impact while outlining the overall security posture, risk profile and recommendations on best practices for your organization. We also document detailed technical aspect of our pentest including the scope, attack methods, and impact which can be given to your IT Team.