In this chapter, we will learn about penetration testing, security assessments, risk management, and types of penetration testing. We will discuss automated testing, manual testing, penetration testing techniques, and penetration testing phases. This chapter focuses on enumerating devices, denial of service emulation, outsourcing pen testing services, and identifying various penetration testing tools.

19.1 Understand penetration testing (PT)

Exam Focus: Understand penetration testing (PT). Objective includes:

  • Understand penetration testing (PT).
  • Identify security assessments.
  • Examine risk management.
  • Understand various types of penetration testing.

Penetration testing

Penetration testing (also called pen-testing) is the method used to evaluate the security of a computer system or network by simulating an attack from a malicious source, referred to as a Black Hat Hacker, or Cracker. In penetration testing, an active analysis of the system for potential vulnerabilities may occur due to the following reasons:

  • Poor or improper system configuration
  • Known and/or unknown hardware or software flaws
  • Operational weaknesses in process or technical countermeasures

This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Security issues together with an assessment of their impact will be presented to the system owner and a proposal is also often presented for mitigation or a technical solution. The motive of a penetration test is to find feasibility of an attack and business impact of a successful exploit, if discovered.

Areas evaluated by penetration tests

Penetration testing involves testing of a computer system, network, or Web application in order to find vulnerabilities that can be exploited by an attacker. Areas evaluated by penetration tests include:

  • Kernel flaws: Kernel flaws refer to the exploitation of kernel code flaws in the operating system.
  • Buffer overflows: Buffer overflows refer to the exploitation of a software failure to properly check for the length of input data. This overflow can cause malicious behavior on the system.
  • Race conditions: A race condition is a situation in which an attacker can gain access to a system as a privileged user.
  • File and directory permissions: In this area, an attacker exploits weak permissions to gain unauthorized access to documents.
  • Trojan horses: These are malicious programs that can exploit an information system by attaching themselves in valid programs and files.
  • Social engineering: In this technique, an attacker uses his social skills and persuasion to acquire valuable information that can be used to conduct an attack against a system.

The case for penetration testing

Penetration testing is required due to the following reasons:

  • To identify the threats faced by information assets of an organization
  • To reduce an organization's IT security costs and identify and resolve vulnerabilities and weaknesses for providing a better Return On IT Security Investment (ROSI)
  • To provide an assurance of thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation to an organization
  • To conform to legal and industry regulations for adopting best practices
  • To test and validate the efficiency of security protections and controls
  • To focus on high severity vulnerabilities and emphasize on application-level security issues
  • To provide a comprehensive approach of penetration steps for preventing upcoming exploitation
  • To evaluate the efficiency of network security devices
  • To change or upgrade existing infrastructure of software, hardware, or network design

Guidelines for conducting a pen-test

A pen-test is a component of a full security audit. An organization should perform a risk assessment operation before penetration testing. Risk assessment will support in identifying the main threats.
Here are some general guidelines for good penetration testing:

  • Establish the parameters such as objectives, limitations, and justification of procedures.
  • Appoint skilled and experienced professionals.
  • Select a suitable set of tests that balance cost and benefits.
  • Use a methodology with proper planning and documentation.
  • Document the result carefully and make it comprehensible for the client.
  • State the potential risks and findings clearly in the final report.

ROI on penetration testing

Unless companies have a proper knowledge of the benefits of the pen-test, they will not spend on the pen-test. Companies use penetration testing to identify, understand, and address the vulnerabilities. This saves a lot of money of companies and results in ROI. A business case scenario including the expenditure and the profit of the company is used to demonstrate the ROI for pen-test. Demonstration of ROI is considered as the critical process to successfully sell the pen-test.

Testing points

To determine the testing point of the test, organizations have to reach a consensus on the extent of information that can be divulged to the testing team. Giving additional information to the penetration testing team may give them an unrealistic advantage. It is required to determine the extent to which the vulnerability requires to be exploited without disrupting critical services.

Testing locations

The pen test team may perform the test either remotely or on-site. An external hacker attack may be simulated by a remote assessment. An onsite assessment may be expensive and may not simulate an external threat exactly.

Advantages and disadvantages of penetration testing

Advantages of penetration testing:

  • Penetration testing helps in simulating hacker activities.
  • Penetration testing helps in identifying vulnerabilities and quantifying their impacts and likelihood.
  • Penetration testing offers vast information on actual, exploitable security threats.

Disadvantages of penetration testing:

  • Penetration testing is labor intensive.
  • Penetration testing is also expensive.
  • Penetration testing can do potential system damage.

Types of penetration testing

  • External testing: In this testing, publicly available information, a network enumeration phase, and the behavior of the security devices are analyzed. External penetration testing is the traditional approach of penetration testing. This testing is focused on the following:
  • Servers
  • Infrastructure
  • Underlying software comprising the target

This testing does not require prior knowledge of the site (black box).

  • Internal testing: This testing is performed from a number of network access points. It represents each logical and physical segment.

Examine risk management

Although most organizations go to great lengths to ensure that their data is private and secure, security risks are taken regularly by organizations, and are viewed as a normal cost of doing business. The key is to effectively manage these risks within a tolerable range of performance and avoid the rare but potentially catastrophic headline-grabbing situations that can threaten organizational existence. Security risks must also be managed in an efficient and increasingly integrated manner, reflecting the growing stakeholder and regulatory demands for additional assurance processes.

Risk = Threat x Vulnerability

Risk management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. NIST, OCTAVE, ISO, and FAIR are four common methodologies for risk management.
Common ways of managing risk:

  • Software packages on all firm computers that are customized to provide real time automated firewall, anti-spam and anti-virus protection
  • Stringent security and data recovery standards for any personal and mobile technology used by lawyers or staff
  • Trained network security staff
  • End-to-end monitoring for critical systems and associated components.
  • Constant monitoring of all servers and network equipment with an intrusion detection system, including a vulnerability assessment/scanning appliance and host-based intrusion prevention agents, multiple layers of virus protection and multiple layers of anti-spam protection
  • Physical 24-hour on-site security with continuous monitoring
  • Real-time failover for our redundant connections to the Internet. Data links with clients are unlikely to ever fail and are tested every six months

Internal security assessment

In an internal security assessment, testing is performed from a number of network access points, representing each logical and physical segment. Internal security assessments may include the following:

  • Tiers and DMZs within the environment
  • Corporate network
  • Partner company connections

Internal security assessments may be announced or unannounced:

Announced testing

In announced testing, the full cooperation and knowledge of the IT staff are used to attempt to compromise systems on the client networks. The existing security infrastructure is examined for possible vulnerabilities in announced testing.

Unannounced testing

In unannounced testing, the knowledge of IT security professional is not required to attempt to compromise systems on the client networks. This test permits only the upper management to be aware about the test. In this test, the security infrastructure and responsiveness of the IT staff are examined.

19.2 Understand automated testing, manual testing, and penetration testing techniques

Exam Focus: Understand automated testing, manual testing, and penetration testing techniques. Objective includes:

  • Understand automated testing.
  • Understand manual testing.
  • Understand penetration testing techniques.
  • Know the penetration testing phases.

Automated testing

Automated testing is a program that runs the program being tested, feeding it with proper inputs and comparing the actual output against the output that was expected. Primarily, automated testing was designed for the automation or execution of tests. This is the complete testing process where the outcomes are pre-determined and consequently matched with the actual results. There can be saving in time and cost over the long term when automated testing is used.

Manual testing

Manual testing is a testing process that is conducted by human testers. It is required for a tester for playing the role of an end user and using most of the features of the application to ensure correct behavior. The testing is the most effective method for User Interface Testing, User Acceptance Testing, and Usability Testing. Organizations can take benefit from the experience of a security professional in manual testing. Professionals assess the security posture of an organization from the perspective of an attacker. A manual approach needs the following for capturing the results of the testing process:

  • Planning
  • Test designing
  • Scheduling
  • Diligent documentation

Stages of manual testing

The following are stages of manual testing:

  • Unit Testing: In the Unit Testing stage, the testing is normally carried out by the developer who wrote the code and sometimes by a peer using the white box testing technique.
  • Integration Testing: The Integration Testing stage is carried out in two modes, as a complete package or as an increment to the earlier package.
  • System Testing: In the System testing stage, software is tested from all possible dimensions for all intended purposes and platforms. The black box testing technique is normally used in this stage.
  • User Acceptance Testing: The User Acceptance Testing stage is carried out in order to get customer sign-off of a finished product. This stage provides a 'pass' that ensures that software has been accepted by the customer and software is ready for use.

Security testing

Security testing is a process to determine that an information system protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorization, availability and non-repudiation.

Integrity in security testing

Integrity is a measure intended to allow the receiver to determine that the information provided by a system is correct. Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.

Penetration testing techniques

The following are penetration testing techniques:

  • Passive research: It is used to collect all the information regarding system configurations of an organization.
  • Open source monitoring: It allows an organization to take the required steps to maintain confidentiality and integrity.
  • Network mapping and OS fingerprinting: It gives an idea about the network's configuration that is tested.
  • Spoofing: In spoofing, one machine pretends to be another. Spoofing is used for both internal and external penetration tests.
  • Network sniffing: It involves capturing the data as it travels across a network.
  • Trojan attack: It is a malicious code or program that is usually sent as email attachment or transferred through "Instant Message" into chat rooms.
  • Brute force attack: It is a password cracking method. It can overload a system and possibly stop it from responding to the legal requests.
  • Vulnerability scanning: It comprehensively examines the targeted areas of the network infrastructure of an organization.
  • Scenario analysis: It is the final phase of testing. It makes a risk assessment of vulnerabilities more accurate.

Categories of penetration testing

The different categories of penetration testing are as follows:

  • Open-box: In this category of penetration testing, testers have access to internal system code. This mode is basically suited for Unix or Linux.
  • Closed-box: In this category of penetration testing, testers do not have access to closed systems. This method is good for closed systems.
  • Zero-knowledge test: In this category of penetration testing, testers have to acquire information from scratch and they are not supplied with information concerning the IT system.
  • Partial-knowledge test: In this category of penetration testing, testers have the knowledge that may be applicable to a specific type of attack and associated vulnerabilities.
  • Full-knowledge test: In this category of penetration testing, testers have massive knowledge concerning the information system to be evaluated.

Phases of penetration testing

The following are phases of penetration testing:

  1. Pre-attack phase: In this phase, reconnaissance is considered as the first step. Reconnaissance is used to locate, gather, identify, and record information regarding the target. The pre-attack phase is of two types:
  2. Passive reconnaissance: In passive reconnaissance, information is gathered regarding a target from the publicly accessible sources.
  3. Active reconnaissance: In active reconnaissance, information is gathered via social engineering, on-site visits, interviews, and questionnaires.

Information such as competitive intelligence, network registration information, DNS and mail server information, operating system information, user's information, authentication credentials information, analog connections, website information, physical and logical location of the organization, product range and service offerings of the target company that are available online, and any other information that leads to possible exploitation are retrieved in the pre-attack phase.

  1. Attack phase: This phase includes the following steps:
  2. Penetrate perimeter: this test simulates the average intruder on the Internet attempting to penetrate the outer security perimeter and gain unauthorized access to an organization's critical assets such as the router, firewall, IDS, via the Internet.
  3. Acquire target: Acquiring a target refers to a set of activities in which the tester subjects the suspect machine to more intrusive challenges, which may be as follows:
  4. Vulnerability scans
  5. Security assessment

Testing methods used to acquire the target include the following:

  • Active probing assaults: Results of the network scan are used to collect further information that can result in a compromise.
  • Running vulnerability scans: Vulnerability scans are completed.
  • Trusted systems and trusted process assessment: Legitimate information obtained through social engineering or other means are used to access the machine's resources.
  • Execute, implant, and retract: The tester executes the arbitrary code to effectively compromise the acquired system. System penetration is required to explore to the level to which the security fails. Execute exploit is already available or specially crafted to take the benefit of the vulnerabilities recognized in the target system.
  • Escalate privileges: After acquiring the target, the tester tries to exploit the system and gain more access to the protected resources. Escalating privileges include the following:
  • The tester may use poor security policies or unsafe web code to collect information that can result in escalation of privileges.
  • Achieve privileged status by using techniques such as brute force.
  • Use Trojans and protocol analyzers.
  • Gain unauthorized access to the privileged resources by using information gleaned through techniques such as social engineering.
  1. Post attack phase: This phase is important as the tester has the responsibility to restore the systems to their pre-test states. This phase includes the following:
  2. Remove all files uploaded on the system.
  3. Clean all registry entries and remove vulnerabilities.
  4. Remove all tools and exploits from the tested systems.
  5. Restore the network to the pre-test state by removing shares and connections.

Testing methods for perimeter security

The following are testing methods for perimeter security:

  • Forge responses with crafted packets to check access control lists.
  • Try connections using protocols such as SSH, FTP, and Telnet to evaluate protocol filtering rules.
  • Use multiple methods such as POST, DELETE, and COPY to examine the perimeter security system's response to web server scans.
  • Evaluate error reporting and error management with ICMP probes.
  • Try persistent TCP connections, evaluate transitory TCP connections, and try to stream UDP connections for measuring the threshold for denial of services.
  • Evaluate the IDS's capability by passing malicious content and scanning the target for responding to abnormal traffic.

19.3 Understand enumerating devices

Exam Focus: Understand enumerating devices. Objective includes:

  • Understand enumerating devices.
  • Understand penetration testing roadmap.
  • Understand denial of service emulation.
  • Outsource pen testing services.
  • Identify various penetration testing tools.

Enumerating devices

A device inventory is considered as the collection of network devices together with some relevant information about devices that are recorded in a document. Inventory of devices is made after the network has been mapped and the business assets are identified. A physical check may also be performed to ensure that the enumerated devices have been located.