Deconstructing The Pen Test
All Pen Tests are Not Created Equal
As a security professional (who in full disclosure is not a penetration tester), I feel strongly that most organizations would benefit from a penetration test. Even if you think your organization is well secured—why not validate that opinion with some independent testing? I think we’d all agree security is important enough to warrant a second opinion.
But what kind of penetration testing do you need and what makes one pen test different from another? There are pen tests with various scopes, sizes, and objectives. Pen tests are definitely not “one size fits all”. To make things more convoluted, if you ask 10 people for their definition of ‘penetration test’ you’re likely to get at least that many answers.
It is crucial to ensure you are speaking the same language when discussing penetration testing. At a very high level, a pen test often includes phases for internal and external testing, wireless network testing, web application testing, and even social engineering. Your organization’s pen test may include several of these phases, but you may not need all of them. Let’s take a closer look at the phases.
Deconstructing the Penetration Test
External Penetration Testing
External penetration testing starts outside the organization and attempts to gain access to the internal network using techniques similar to those hackers use. External testing applies to external devices that are accessible over the Internet, or the public portion(s) of your network. Included in this category are Web, Mail, and DNS servers. While these are the most common services exposed to the Internet, it’s very common to run into other open services (e.g., Remote Desktop, SMB, etc.) that may not need to be accessible for business purposes. Publicly-accessible systems and services are generally classified as higher risk than those inside your company because they are exposed to the Internet. Your pen test should include a recon phase that gathers information that is generally available to the public, which may be used against your organization.
Internal Penetration Testing
Internal penetration testing assumes the premise that an attacker–or disgruntled employee–has compromised your perimeter security. An internal penetration test seeks to answer the questions: What can an attacker do once inside your network? How easily can the attacker move laterally once beyond your perimeter? How accessible is your sensitive information and intellectual property?
Internal penetration testing often uses unauthenticated and/or scenario-based attacks where the penetration tester assumes the role of a common user and then attempts to escalate privileges to identify any interesting data, which may be accessible.
So who needs an internal penetration test? In my opinion, any organizations with sensitive or confidential data. If you are bound by the PCI DSS requirements, you may have to go beyond a standard internal penetration test, in order to conduct “segmentation testing”. That is, testing segmentation controls that limit the scope of PCI-regulated data.
Wireless Network Testing
Wireless network testing attempts to find vulnerabilities that can be used to compromise wireless networks in order to bridge the gap into an organization’s internal network.
Who needs a wireless penetration test? Certainly, organizations that use wireless in a production capacity. If your organization’s wireless is completely separate from your corporate network and uses host isolation you may be able to skip this one, or validate less often (e.g., when changes occur). However, if your organization’s WiFi provides access to the corporate networks, you have close neighbors, or the network is accessible outside the physical perimeter (i.e., walls), you should consider this part of your assessment more frequently.
Web Application Testing
Web applications represent an additional attack vector for an organization. Web application testing goes beyond automated scanning of the available assets and uses the experience and training of the tester to identify dangerous vulnerabilities such as the OWASP Top 10 (e.g., injection flaws and cross site scripting), which can be exploited to gain access to sensitive or confidential data.
So who needs a web application test? If your web application accepts user input or has access to sensitive (e.g., confidential, regulated, restricted) data you should have a web application assessment and, potentially, a web application firewall (WAF). While PCI DSS 3.2.1 requires one or the other, I’d offer organizations do both. If the information you are protecting is important enough, or compromise of the web app would cause significant customer issues and potentially even negative publicity - I’d definitely do both.
Social Engineering
Social engineering is an attempt to exploit the human element in the security chain. Social engineering attempts to convince victims to divulge information that can be used in an attack. Common attacks include phishing, costumes that bypass physical access (e.g., vendor uniforms), phone calls, etc. Social engineering testing attempts to simulate the tactics of malicious actors in order to test the readiness of the organization and its employees.
So who needs social engineering? Phishing tests are advisable for all organizations that have email. Even if your organization already does these internally, you should consider adding them to your penetration test. Fundamentally, phishing done across the entire organization is not meant to test true defensive capabilities (e.g., filtering) but rather to raise awareness through continued exposure. Phishing done as part of a penetration test is often much more tactical and used to further testing goals, which may be harder to detect by users and anti-phishing systems.Phishing exercises have become even more important lately as phishing is a common method used to install ransomware into an environment.
Other Factors to Consider
Penetration tests certainly vary by the phases needed / selected, but the phases also can vary based on the budget you have to work with. Quotes for a pen test may have a wide range, but why? A pen test is a simulation of an attack by a hacker. The number of techniques the pen tester can attempt is limited to the budget (time) he / she has to work with. The hacker has no such limitations. The difference in quote likely reflects the time the penetration tester has to attempt to gain access.
A quality penetration test should also test the organization’s defenses. Penetration tests should identify vulnerabilities but also test the organization’s ability to detect and respond to the simulated attack. After all, how securely we configure and patch our systems is only part of the equation. Pen tests should be leveraged to validate preventative controls while also assessing the capabilities of detective controls and response procedures. Security controls, and resources for that matter, are not cheap. In my opinion – pen tests can, and should, be used to validate our investments.