Penetration testing became de-facto standardized service that companies either use or plan to use as integral component of security operations. However, many companies still struggle with the same challenges. What shall we test? How to adequately scope the penetration testing project? How to utilize penetration testing in order to measurably improve security in long run? How to set reasonable budget? Is it really going to improve our security posture or is it going to be just another checkbox ticked?
Our company has been active in penetration testing and security auditing since 2015 and we would like to answer some of those fundamental questions in this article. We will especially focus on the following:
- Penetration test objectives
- Setting the right scope / budget
- Finding the right resources
- Optimal timing for penetration test
- Outcome of the penetration test
We hope this information provides you with requisite confidence to successfully embed penetration testing into your operations. If after reading this article you still have questions how to properly carry out penetration test in your specific case, please feel free to reach out to us via our contact details and one of our consultants would be happy to discuss it with you.
Penetration test objectives
There are several types of penetration tests that a company might need, depending on what you are trying to achieve. For that reason there are several objectives that have to be analyzed and discussed in order to find the right one for you:
- Infrastructure penetration test – Are you ICT manager responsible for company infrastructure? Then you shall be interested in conducting penetration test examining whether your entire ICT infrastructure is resilient against malicious actors. Depending on assets you manage, you might be interested in an internal, external infrastructure penetration tests or combination of both.
- External penetration test tests resilience of your publicly exposed infrastructure (web, mail, VPN server etc) against omnipresent malicious actors on the Internet. Ultimate goal of the test is to evaluate whether it is possible to gain unauthorized access from the Internet into your internal network.
- Internal penetration test tests resilience of assets which are only hosted internally (ERP system, internal file servers, versioning servers etc). Objective of such test is to see whether unprivileged local user would be able to access or modify systems which shall not be accessible to him, i.e. disgruntled employee or external contractor gaining access to your accounting, intellectual property etc.
- Combination of both. Our usual customers typically have both external as well as internal infrastructure. In that case, it is advisable to do both starting with external penetration test following internal one. Using this approach allows to first verify if external attacker can get foothold in the company via your public IPs, which is then followed by internal test verifying how far such attacker would get internally. If there is strict budget limitation, either of them shall be selected based on your risk profile or testing shall be distributed across multiple budgeting periods.
- Product penetration test – Are you product manager or development lead? In this case you would be rather interested in how would your product withstand malicious attacks. No matter if you are responsible for web application, desktop application or hardware appliance – product penetration test done early in the development life cycle will assist your development team in building inherently more robust and secure system.
- Web application / API test. Your web application is assessed against complete OWASP Top 10 (API against OWASP API Security Top 10). De-facto, industry best practice web application security standard.
- Desktop / mobile application test. Penetration test evaluating your application against the most common application security issues – depending on the platform (Windows/UNIX/mobile). It demonstrates how such issues can be misused and also avoided in the future.
- Hardware appliance test. Are you developing your own hardware together with software? We have extensive experiences testing Linux, Android and custom-based automotive ECUs, aerospace units as well as custom military ICT equipment. Situation with custom appliances is very specific case which in itself would allow for several stand-alone article. If you are considering such test please reach out to us. We will assess your situation on case-by-case basis and provide necessary advise.
Automated vulnerability scan vs manual penetration test
Nowadays, there are many great automated vulnerability scanning solutions on the market. Those include among others Tenable, Rapid7, Qualys. Both automated vulnerability scanners and manual penetration tests are there to uncover vulnerabilities. Both have, however, very different use-cases. Automated vulnerability scans are great to periodically uncover the most obvious security issues on large ever-changing infrastructures (default credentials, missing OS security patch). Automated vulnerability scanners are great for instance to periodically scan whole enterprise ICT infrastructure for such fundamental security errors.
On the other hand, manual penetration test is there to uncover specific high profile vulnerabilities in limited set of systems (vulnerability in custom build application, guessable admin password based on user behavior observed elsewhere). Manual penetration test is therefore great fit for custom build applications, products or heavily customized infrastructures where automated scanning would fail to achieve expected results.
It is always important to understand which of those bring you greater security value and if the decision is made for manual penetration test, you must ensure that given penetration tester has sufficient qualification to indeed conduct manual penetration test. After all, what are you paying for during penetration test is the human expertise to find vulnerabilities which would be missed by automated vulnerability scanner. You do not want to end up paying for someone to run vulnerability scanner on your behalf. See section “Finding the right resources” for more information how to select right person to do the penetration testing job.
Setting the right scope / budget
Setting the right scope for penetration test is not as easy as it might seem. It shall take into consideration risk profile of your company / product as well as your budget limitations and security expectations. In order to take the most out of the penetration test, there must be clear and specific scope prior commencing. Following are just a few questions which must be answered:
- (infrastructure) Which assets shall be tested?
- (product) Which product interfaces / components shall be tested?
- Are they publicly facing or only for internal use?
- What would be the impact if such system gets hacked?
- How much can they be affected by downtime?
- How many users or employees rely on the normal and daily use of this system?
We understand that each customer has a specific needs. Penetration test shall always start with kick off meeting to clearly define the scope of the future testing. We always advise on how to make the testing most appropriate to you as end customer from both budget and risk profile perspective.
Penetration tests are scoped by amount of man-days which are utilized for the test. Just to give you some high level idea the following are the average scopes some of the typical scenarios:
- External penetration test of single publicly facing IP – 1 MD
- Custom medium-sized web application – 5MDs
- Internal penetration test of 200 assets – 7 MDs
- Complex desktop application connected to backend API – 10 MDs
- Automotive head unit – 40 MDs
Finding the right resources
As everywhere, quality (penetration tester skills and experiences) is much more important than quantity (amount of man-days invested). Finding the right tester / company for the job is not always a straightforward job. There are many companies that sell “penetration tests” and at the end deliver only ready made reports exported from automated vulnerability scanning tools. On the other hand, there are specialized companies that dig deeper and are more focused on security research. To overcome this you can search for the right indicators when choosing the company that will perform the penetration test.
Look for certifications. Although certifications are not everything, they prove that their holder must have gone through exam which verifies certain baseline proficiency on the topic. Offensive Security for instance provides great certifications testing hands-on penetration testing skills. Their most popular certification – Offensive Security Certified Professional (OSCP) – verifies candidate skills in 24-hour long real-world penetration testing exam. Experienced penetration tester of your choice shall have proven technical background with at least certifications equivalent to OSCP.
Consider past projects of the company. There are many successful and good companies that provide cyber security services but not all might be suitable for you. We recommend to check their portfolio and verify whether they have experience with similar sized projects from the past.
Consider company security research. Security is about uncovering the unknown and unexpected. Good security company shall be conducting its own security research, finding its own vulnerabilities and developing its own tooling. We have proven track record for both – finding our own 0day vulnerabilities (flaws in software that are unknown to creator / vendor themselves) as well as developing our own open source projects which we use during our penetration testing projects.
Optimal timing for penetration test
So at this point you know the objective, scope and you have right person / company to kick it off so why not to start immediately? It is important to note that penetration test is simulated attack against your systems and as a such can cause unexpected business disruption. It is therefore crucial to plan it well. Here are just some of the consideration:
- Can the penetration test be done on staging instead of production environment?
- In an unlikely event that any system crashes, will there be anyone on call to restore its functionality without undue delay?
- Shall any critical systems be tested out-of-business hours?
- Shall any critical system be tested in less aggressive way (i.e. not running memory corrupting exploits)?
- Shall we do the test on finalized product or early in development life cycle?
Answering such questions and planning the test accordingly is highly appropriate during kickoff workshop prior penetration test commences.
Outcome of the penetration test
The outcome of the penetration test should always be a detailed penetration testing report divided in several sections. First of all, an executive summary discussing all the identified findings together with severity in manner which is understandable to the technical as well as management teams. Secondly, there shall be detailed explanation of all the issues found in the technical detail which would be sufficient for engineering team to replicate those issues. Finally, there should be section describing optimal mitigation strategy for all identified issues together with next steps. Next steps might include re-testing once fixes are applied to confirm that fixes are effective.
Apart from the report we always recommend to also arrange a closing presentation (workshop) to present all identified issues, demonstrate how they can be misused by potential attacker and have a discussion with stakeholders how to fix those issues. It is always good to involve various stakeholders in such presentation – both managerial and technical – to join the presentation and ask their questions.
Finally, optional training can be arranged for the developers / ICT admins as an advanced benefit of the penetration testing project. Goal of the training is to provide necessary guidance and best practices which if followed would allow to prevent similar security issues from re-occurring in the future. In the end we all need to learn from the past security mistakes in order not to repeat them in the future.
Penetration testing is a process of securing your assets which became more or less a must have in the digital age. We hope this article would help you establish or improve penetration testing inside your organization. If you have any further questions or comments please feel free to reach out to us.