The main purpose of Cybersecurity Awareness training course is to minimize huma....
Penetration Testing on Organizations
IT Security
2016-08-11
Penetration testing is a process performed on the existing or proposed network, system and/or application to ensure whether it is meeting the overall security targets. Basically, this article underlines information which is intended for managers and other leading persons to understand the importance of Penetration testing on their organization. Considerably, with the increasing number of applications on the company, the importance of performing a Pen Test is becoming crucial. It is a process that involves the need for proper managing activities which are explained below.
Why is Pen Testing needed?
Many companies are evolving faster as a result of their strategic approach that they might have. Also, companies tend to adopt changes faster than ever and assigning the precise person to work on specific issues just to make sure they are increasing the value of their services and products. On that note, as the automated services increase, so does the number of applications used in their operation. Therefore, having an approach that tests all the applications that are in the implementation process or are operational is mandatory not to fail on any security breach.
Basically, pen testing is needed to convince the management about the importance of securing its systems. This framework uses attacking techniques from trusted sources to perform a test and to identify whether the current intrusion detection system is working properly. Once the system is implemented, the pen testing can be performed as needed or as planned but, sometimes it can just test a specific issue, which is considered as ‘important to be done’.
What should we take into account when performing a Pen Testing?
Considering the fact that pen testing is an in-depth testing of the system, it should be planned and performed when necessary; therefore, the initiation of conducting a penetration test should be based on known vulnerability or system weaknesses. Importantly, before we launch the test, the impacts and consequences that might be caused on the system should be considered sensibly tests that are managed poorly can cause congestions and the system to crash leaving you with operational delays.
As a result of the causes and effect that it might have on the system, consent from the upper management is needed. Correspondingly, a risk assessment is required in order to ensure the risk exposure from doing the pen testing activities is under control, including the security controls to react in worst case scenarios during or after the pen testing. The safety operations and business sustainability should be placed as highest priority when dealing with pen testing; therefore the proper planning to cover all detail activities during the testing is very crucial.
Critically, the person responsible for performing pen testing should be authorized and competent. However, in cases where the penetration test is performed by a third party, an agreement between both parties should be made that states all the possible causes/issues and their solutions. The agreement should contain clauses that emphasize all responsibilities for performing a test and the legal consequences to be addressed to the person or company if there is any misuse of the information provided. Therefore, it is important to conduct an analysis and use reference as facts when deciding which company or person will perform a Pen Test on your organization.
Preparing for Pen Testing process
Corporates and other business outlets are very concerned with their day-to-day performance systems, because their business processes are supported and dependent on the system’s performance. For that reason, they do evaluate their systems and software quite high on their balance sheets.
With that in mind, during the meeting of parties involved on this pen testing process, there should be a discussion of the scope and objectives of the test, if there is not a clear reason for the test, a company can face unclear results. In fact, a test is done primarily to know and identify if the vulnerabilities exist within the organization network and infrastructure and the scope is identified for the reason to make sure that relevant part of the company, are involved on the test. However, if we miss on inclusion process, we might miss the vulnerability identification as well.
Therefore, an important part that should be discussed is the timing when the contracted parties are going to perform a pen testing. It is vital to ensure that no disruption will be caused on the day- to- day performance otherwise; a loss of credibility can be encountered.
Perform a testing process
Pen testing approach can be categorized into three methods, the white box, gray box, and black box pen testing. Selecting the proper method all depends on how the customer can drive the risk exposure against the pen testing activities, the goals of the pen testing, how depth the test will be, the risk appetite and the criticality of the asset.
By choosing the white box pen testing, notifying the staff that pen testing process is going to launch soon and properly notifying the related parties prior to starting the pen testing activities is critical. However, this can be difficult because, this can cause behavior changes. Yet, conducting a process without informing them first may cause any inconveniences, due to any inappropriate action taken by employees.
It is very important that any information generated from the testing process should remain confidential and can be used only for the internal purposes of the company. Actually, the activities performed by the testers are considered illegal but are performed with the approval of the company’s responsible personnel and is a tool used in order to know the exact vulnerabilities. Yet, the testing person or team should receive prior contact for the permission of doing that activity. A typical pen testing has the main goal to replicate the approach of the real world attack and follow seven (7) key steps as per following: performing reconnaissance, scanning, and enumeration, gaining access, elevated privileges, maintains access, place backdoors and cover tracks.
The pen testing initial process is to gather the information of the attacked object as much as possible, either using an active or passive method. The information that has been gathered will be used for the next step, scanning and enumeration, this step mainly dealing with finding the vulnerabilities on the targeted object. Once the vulnerabilities have been exposed, the access attempt to the object will be gained, evaluating the privilege in order to control with more power against the targeted object. This privileged access gained has to be maintained because this is the way to interface with the targeted object for further exploitation. Nonetheless, the backdoors placement can be used as one method of granting the access by utilizing the vulnerabilities but, be careful of the security gap that will be exposed more by placing these entities. It is important to ensure the scope of pen testing has clearly defined this approach and its consequences, including the prevention and mitigation. Finally, the last process is to cover the track in order to reduce the likelihood of the pen testing activities uncovered (especially for the black box method).
Therefore, the pen testing activities should be documented properly to capture the tests that being performed, quality review and final report as the formal result and recommendation (including any security gaps closing effort).
For further information, please check the Penetration Testing Course.
About the authors
Gezim Zeneli is an Portfolio Marketing Manager for Information Security at PECB. He is in charge of conducting market research while developing and providing information related to Information Security Standards. If you have any questions, please do not hesitate to contact: marketing.sec@pecb.com.
Pedro Wirya has started its experience in ICS (Industrial Control System) security assurance with ExxonMobil and continued to deliver consultancy and training services. Pedro has strong passion and experience in IT and ICS segment with specific exposure to ICS Security Assurance. It mainly covers Cybersecurity Management System, Audit and Assessment, Risk Assessment and Management, ICS security policy, Procedure and Standard development and ISO/IEC 27001 Management System Certified Auditor. For more information, please contact Mr. Wirya at pedro.l.putuwirya@gmail.com.
Infographic
