agilient-logo-white
MENU

Penetration Testing Consulting

What is penetration testing?

Penetration testing or pen testing is an ethical attack, approved by you, on your business. Agilient identifies ways that hackers will get in, what damage they can cause and how much it may cost you. Agilient penetration testing subjects your network and applications to real-world cyber-attack scenarios, to get a complete understanding of your vulnerabilities. A comprehensive test is performed utilising specific testing methodologies for areas ranging from web services such as SOAP, WSDL to specific application frameworks.

Agilient offers penetration testing services for:

Internet sites and applications

Agilient conducts active analysis of an application for any weaknesses, technical flaws or vulnerabilities. Leveraging both the OWASP and WASC initiatives, the testing methodology is used to review custom application code and identify coding vulnerabilities.

Wireless Networks

Agilient performs a thorough test of the wireless network, identifying any weaknesses that may be available to unauthorised users and Guests. It is important that both corporate and guest wireless networks have been configured securely to avoid unauthorised access and eavesdropping.

Corporate networks

The corporate network infrastructure penetration test utilises the strengths from both the OWASP and OSSTMM methodologies to ensure the most complete approach to testing. This helps organisations identify critical flaws that may allow unauthorised access to data and systems.

In conducting penetration tests
Agilient generally use the following methodology:

Kick-off penetration testing

The starting point for the penetration testing is a kick-off meeting to scope the project. Proper scoping is the most important component during the planning and preparation step, in addition to setting up the right levels of access control, and ensuring that systems are ready for testing, e.g. data backup etc. Agreement on timing and duration of penetration testing is essential, as are agreements on the focus points for test activities and the way to proceed for testers in case they succeed in a penetration attempt. We will also discuss and agree on any peculiarities for performing testing on live systems etc.

Reconnaissance penetration testing

To begin the actual penetration test, Agilient will use network survey methods and port scanning for reconnaissance purposes to gather any useful information possible. The goal is to identify the systems in scope and confirm they are actually reachable. Agilient testers will use several tools such as Nmap to collect domain names, server names, internet service provider (ISP) information, host IP-addresses, routing protocols, etc. This information will be used to draw up a network map.

Vulnerability penetration testing

In this step, Agilient experts will use automated tools such as Nessus or Nexpose to scan the target systems for vulnerabilities and weaknesses. The outcome of this scanning process is a list of systems that potentially contain one or more specified vulnerabilities and weaknesses. Hence, these are the systems that need an in-depth investigation. The selected target systems will be the scope of the next step to perform the penetration testing activities.

Penetration testing

During the penetration attempt, Agilient experts will try to exploit the vulnerabilities and weaknesses identified in the previous step, using tools such as Metasploit. One approach to penetration testing is ‘black box’, which means that our testers don’t have any knowledge about your network except publicly available information. An example of this is a penetration test for a website, where only the website URL or IP-address is known. This would equate to an external attack carried out by a malicious hacker. While the focus of Agilient’s penetration testing efforts is on accessing computer assets, Agilient testers will try to obtain or subvert confidential documents, price lists, databases and other protected information, when this is in scope. Of course, we will strictly protect the confidentiality of any information we obtain; the information will only be used to prove that we did, in fact, breach the security of the network.

Recommendations

After penetration testing has finished according to the agreed scope, duration and rules of engagement, Agilient will draw up a penetration testing report. The report will describe the test target(s) in scope, the test tools and test methods used, the vulnerabilities and weaknesses found in the Vulnerability Detection step, and the penetration attempts performed. For each successful penetration attempt, Agilient will list the related vulnerabilities, the attack method, all logs and data related to the attempt and any other information necessary to reproduce the attempt. We will give a brief analysis of the likelihood and impact of each successful exploit, and include recommendations on mitigating the vulnerabilities we found.

Final Steps

To complete the penetration test, Agilient will clean all systems targeted during the penetration testing, in cooperation with the customer. In case any system was compromised, the cleaning process will be done in a secure way to ensure that normal operations are not affected. This step will include actions such as backup restore, log file removal and removal of user accounts created during the penetration tests.

Frequently Asked Penetration Testing Questions

With the rise of cyber-attacks in Australia, it has become crucial that businesses ensure that they are prepared. Even with the pandemic still ongoing, attacks like phishing and ransomware have skyrocketed in frequency of use.

At Agilient, we offer penetration testing methods that follow the highest industry standards when it comes to protecting core systems, as well as identifying any vulnerabilities or threats that target adjacent applications and services, to protect your business.

Penetration testing, or Pen-testing for short, is when an organisation evaluates its security system by hiring ethical professional hackers to try and break into their system. Those ethical hackers will attempt to find vulnerabilities and exploit them, and when they are successful the organisation can then understand what its weak points are, and where to fix vulnerabilities.

The people who perform penetration testing are called ‘Ethical Hackers’, because they are given permission by an organisation to conduct vulnerability analysis and system exploitation in order to discover vulnerabilities. Ethical behaviour includes:

  • Not deliberately causing real damage
  • Protecting confidentiality of information accessed
  • Cleaning up after the exercise
    • Deleting any accounts created
    • Removing any files installed
    • Backing out any changes made
  • Preserving property accessed, whether intellectual or financial

It is preferable that the hacker has no prior knowledge of how the system works, as this allows them to creatively try to compromise the system developed by the organisation. Ethical Hackers tend to be professionals in the field of technology, and have obtained certifications within the field of cybersecurity and specifically pen-testing.

The effectiveness of using Ethical Hackers will vary based on the type of pen-testing the company wants to initiate.

There are several types of penetration tests that can be conducted. These will vary, based on the company’s desired outcome. Below are several types of pen-testing:

  • Open-Box Pen-test: The Ethical Hacker is given some information about the target company’s security system.
  • Closed-Box Pen-test: The Ethical Hacker has not been given information regarding the target company. This test is also commonly called a ‘Single-Blind Test’.
  • Covert Pen-test: The Ethical Hacker conducts a pen-test without anyone in the target company being given the heads-up, especially the IT and security teams. A written test scope test is given to the Ethical Hacker in advance, to avoid involvement of law enforcement.
  • External Pen-test: Conducted by Ethical Hackers on the target company’s website and network servers. Usually, the hacker would be working in a remote location as they would not be allowed to enter the company’s premise.
  • Internal Pen-test: The Ethical Hacker conducts this test from within the organisation’s internal network. The test illustrates the capabilities of a malicious actor within the organisation’s network. The actor may be a disgruntled employee, unthinking system admin trying to facilitate a request, a hacker bypassing perimeter defenses, or malware unwittingly imported through clicking email attachments, visiting a compromised or fake website or inserting an unknown USB drive.

Conducting a penetration test is essential for companies who are looking to improve their system security and stay current with the latest cybersecurity and physical security standards. However, that is not the only benefit of conducting a penetration test. Additional benefits include:

  • Assisting the organisation to manage risk, through proper risk evaluation and incident response planning, which ensures the organisation will be ready to handle these types of threats.
  • Business continuity will increase as vulnerabilities in the system are addressed, which lowers the frequency of hackers gaining access to vulnerable systems.
  • Protecting clients and partners while increasing their trust, as they will feel that the company is taking the necessary steps to keep their data protected.
  • Helping with security investments by flagging which areas of security might need more investment than the rest.
  • Protection against financial and reputational damage, as pen-testing helps keep the company on track regarding breaches and attacks which is good for the company’s image, while mitigating larger financial loss that comes with the aftermath of a data breach or cyber-attack.
  • Complying with industry security standards – having a regular pen-test helps the company stay within security standard regulations.
  • Testing out cyber defenses – having defensive software/applications is only effective if it works when an attack is happening within the system.

While penetration testing is important and should be utilised as much as possible, there is no one specific method of pen-testing that is considered the best. The preferred pen-testing method will depend on what the company’s objective is, and what outcome they hope to achieve.

The Agilient approach to pen-testing combines industry standards to provide a holistic implementation of the pen-testing methodologies, which are shown in the image below.

Source: EC-Council Blog

The methods that we use assess every possible aspect of the system, to uncover possible threats within the system, whether internal or external.

The internet dot com bubble exploded decades ago, with businesses and social media platforms gaining traction and building websites and applications. This has also attracted threat actors who utilise the internet for attacks and malicious activities.

Source: Aimbotsys.com

The web application pen-testing methodology combines 5 steps that help organisations identify the threats and vulnerabilities within their system. They are:

  1. Information Gathering: Pen-testers will scan and collect information about the current application being used. This phase can also be called reconnaissance.
  2. Planning Analysis: The information gathered from the first step will then be used by the pen-tester, who will try to define their approach for gaining access to the application.
  3. Vulnerability Detection: After deciding the approach, the pen-tester will proceed to scan the application for vulnerabilities in certain areas they will be trying to access.
  4. Penetration Testing: The pen-tester performs the test and, once they gain access, they will try to escalate their access to see how secure the rest of the application is.
  5. Reporting: Finally, after performing the pen-test, the pen-tester will combine their findings into a report for management, in order to understand their application’s weaknesses and what needs securing.

One of the popular methods that can be used for web application pen-testing is OWASP. The OWASP (Open Web Application Security Project) is a recognised standard that empowers organisations to control web application vulnerabilities.

Many organisations provide Application Program Interfaces (APIs) to allow their clients and business partners to enter and retrieve data. Conducting an application penetration test, the primary APIs used are REST-based APIs, but also GraphQL and occasionally SOAP. Additionally, there are three business justifications for API pen-testing:

  1. Public-facing applications built from the ground up as an API or web service.
  2. Public-facing applications which are not natively an API but offer an API to access some functionality.
  3. Applications which provide API access to select users (e.g. corporate employees, admins).

Conducting a pen-test for API’s is essential as the test itself will evaluate the workflow of the company’s systems along with scoping the endpoints of the API service with testing the authentication procedure, this can help secure business applications.

API Methodology Checklist:

Step 1: Determine security requirements. Step 2: Set up a testing environment. Step 3: Sanity check your API. Step 4: Define the input domain. Step 5: Develop and execute the test cases.

Should the API use a TLS/SSL certificate, and be accessed over HTTPS?

What permission groups exist for different resources in the application?

What is the authentication flow? Is an external OAUTH provider used?

What is the attack surface of the API? Where could a malicious actor subvert the application?

 Once the scope of the test has been developed, it is time to prepare an application environment for testing. Send a few requests at the API to ensure that everything has been set up correctly. Before developing individual test cases, it is important to understand what each parameter does, and the different combinations that each parameter is allowed to be. . Once you have prepared the test environment, and understand possible edge-cases, you can create and execute tests — comparing the actual output with the expected output.

When conducting a penetration test, one of the variables that should be tested thoroughly is the network of the target company. The network infrastructure is crucial, because it defines how the organisation is communicating and connected, which is why hardening the security of the network is necessary when dealing with threat actors or cyber-attacks. The following are steps that are undertaken when preparing and conducting a network pen-test:

source:packetpub.com

  1. Discovery/Intelligence Gathering – Host and service discovery includes initial domain footprinting, live host detection, service enumeration, and operating system and application fingerprinting. The purpose of this step is to collectively map the in-scope environment and prepare for threat identification.
  2. Threat Modeling – With the information collected from the previous step, security testing transitions to identifying vulnerabilities within systems. This begins with automated scans initially, but quickly develops into deep-dive manual testing techniques. During the threat-modeling step, assets are identified and categorised into threat categories.
  3. Vulnerability Analysis – The vulnerability analysis phase involves the documentation and analysis of vulnerabilities discovered resulting from the previous network pen-testing steps.

After these three steps are completed, the network pen-tester will commence with exploiting the network of the system, while also documenting the procedure. Finally, a report will be put together that discloses the vulnerabilities and threats, and what controls or detection software is required to solve them.

External penetration testing is a combination of manual and automated testing of a client’s public facing systems, by simulating a malicious internet attacker. Public facing systems include servers that have public IP addresses which can be accessed by users on the internet.

This type of pen-testing examines scenarios of attacks that come from outside the target company, and is vital for building up the security defenses of the organisation against outside attacks. This method examines the following security infrastructure areas:

  • identifying firewall misconfigurations
  • vulnerability identification and exploitation
  • locating and compromising administrative services and interfaces
  • other attack techniques

Source: guru99.com

The application of this method is also similar to the network pen-testing method, as it shares the same structure. Commencing with planning, then discovering the threats and vulnerabilities of the system, then the exploitation/attack phase, and finally a report is produced about the findings of the pen-test and what key areas must be focused on.

The simulation of an internal pen-test scenario is done when an attacker is present inside the organisation’s network. It can holistically test vulnerabilities, passwords, network configurations, and internal monitoring controls all at once. An internal pen-test calls for a cybersecurity engineer/ethical hacker to connect to the organisation’s internal network and gain access to sensitive organisational resources via an internal network connection.

The most devastating part of internal attacks from insiders is that the insider already has detailed knowledge of the high-value resources that will be compromised, which is not usually the case with an external attacker.

Source: eccouncil.org

Internal pen-testing comes in 5 phases which are:

  1. Planning or Intelligence Gathering
  2. Identifying Vulnerabilities/Scanning
  3. Exploitation
  4. Maintaining Access
  5. Post-Exploitation Reporting and Configuration

The effectiveness of the internal pen-testing method will depend on how well the company knows their own infrastructure, process and security systems.

Related Articles

Leave a Reply