In previous articles, we’ve discussed the basics of penetration testing and more advanced automated pen testing. The truth is that modern penetration testing has evolved along several different trajectories, all impacted by the unique demands of data-driven business.
Here, we’ll cover the different, broad categories of penetration testing, and what they are intended to protect your systems from. Following this, you should be able to recognize, regardless of your compliance requirements, what penetration tests you would need to assess your comprehensive security posture.
Network Penetration Testing
Network penetration testing is the simulation of attacks against network resources, including any running applications, web pages, or devices.
At the center of a network pen test is an understanding and probing of network interfaces for ways to gain access to the technology running the network or running on that network. Some vulnerable interfaces include:
- Public-Facing Servers
- Routers and Switches
- Connected Workstations
- Connected Mobile Devices (Smartphones and Tablets)
- Networked Printers
When conducting a network penetration test, the professional performing the test will typically look for common attack vectors, and then drill down into more specific or advanced techniques based on your network configuration. Some of the common attacks simulated will include:
- IPS Evasion, or utilizing different traffic filtering or fragmentation techniques to avoid network Intrusion Prevention Systems (IPSs).
- Firewall Vulnerabilities, or utilizing scans to identify places where a network firewall has been misconfigured, if there are known vulnerabilities with the specific firewall version or if there are other techniques, like port redirection, that could be used to bypass the security measures in place.
- DNS Attacks like zone attacks that use the Domain Name Server (DNS) system to gain access to, or information about, your system based on its IP address and domain.
- FTP Attacks, where the hacker uses vanilla FTP to attempt to breach open system ports and inject or manipulate network files.
- Man in the Middle Attacks that involve the hacker snooping on data transfers and
Additional tests will also check for problems like ports that remain open for no reason, presenting hackers with a wide-open channel to connect to your network.
Network access and integrity are, most likely, one of the most important aspects of your security posture and as such network penetration will be a paramount undertaking either during audits or under your own auspices.
Client-Side Penetration Testing
Client-Side penetration testing, not to be confused with internal penetration tests, uses simulated scans and attacks to determine the security of your internal software.
While an internal test will probe and attack multiple operations and attack surfaces that don’t face the public, a client-side pen test emphasizes software security across all the combined apps and tools you and your teams use every day. A Client-Side pen test could therefore cover a whole host of applications, including:
- Web Browsers
- FTP, SFTP and SSH Clients
- Adobe Creative Suite
- Microsoft Office and Cloud
- Email Clients
These penetration tests will cover several potential security issues related to these apps. As you can imagine, there are quite a few, and many of them can overlap depending on the components the app uses. Attacks attempted and scouted during a typical pen test include:
- Traditional Malware Infections
- HTML Injection In Web-Based Software
- Cross-Site Scripting Attacks
- Cross-Origin Resource Sharing
This form of pen testing supports your insights into how the software that your employees use opens your organization to potential threats.
Web Application Penetration Testing
Many of our current technologies leverage web apps to provide services and utilities to users. Because cloud computing and technology are so prevalent, and because online, always-on services have proven to be a robust delivery model, many companies are turning to web applications to fill necessary places in their operations.
This means that enterprise leaders are increasingly developing and launching these apps. This also means that the typical security concerns involved with web apps become much more viable, potent and debilitating if not mitigated.
Web application pen testing, therefore, focuses on the unique security challenges that an online web application faces, including:
- Unsecured APIs are used by third-party sites for authentication or extended services.
- DNS Attacks, because web applications are customer-facing network resources that can open security issues that overlap with network security vulnerabilities.
- System information disclosure through HTTPS HEAD and OPTION requests.
- SQL Injection, when a hacker uses vulnerabilities in any input area to insert unintended SQL calls that will be interested in the web application’s back end server, potentially destabilizing the system or dumping tons of stolen information right into the hacker’s hands.
- Component Vulnerability, as many web applications are built of components and all must be secure. Your organization is only as secure as its weakest link.
Web applications, while they are customer-facing, can also contain sensitive data related to customers’ profiles, identities or use of the application. Attackers that gain access to the back-end of these applications steal this information or plant malware in the backend to infect other accounts, steal other user information or hijack web traffic to and from the system. A tester, therefore, will attempt to break through typical front-end interfaces to propagate their influence throughout the system running that app for potentially thousands of users.
Social Engineering as Penetration Testing
Perhaps the most under-recognized, and most important, of pen tests are social engineering tests.
When we think of pen tests we think of top-secret tools and individuals behind laptops attacking systems over network or intranet connections. The truth, however, is that people, not technology, are one of the largest security threats business face. On one hand, any organization handling sensitive or lucrative information could be subject to insider threats from whistleblowers or unauthorized agencies committing espionage. On the other hand, external social engineering tactics can poke at the ignorance or unpreparedness of your workforce when it comes to cybersecurity.
Social engineering covers several different types of attacks a pen tester might use to simulate attacks, including:
- Phishing attacks, which use emails or phone calls to trick employees to give up their access credentials and allow hackers access.
- Dumpster Diving, where the hacker will look into local deficiencies in information disposal, including destruction and release into dumpsters or other trash cans.
- Public Interaction, which can target any employee that regularly interacts with the public. Here, the tester can see how a friendly employee could potentially release all sorts of sensitive information to unauthorized people.
Essentially, the pen tester becomes James Bond in the sense that they collect information about your organization through coercion and personal interaction. They will steal documents, go through the trash and take receptionists and salespeople out to coffee pretending to be from other organizations, all to get the slightest piece of information to access a system. Therefore, this form of penetration can become highly personal and almost undercover, depending on how you’re presenting this test.
Streamline Expert Penetration Tests with Continuum GRC
The future of compliance and cybersecurity is automated. Accuracy, efficiency, effectiveness and scalability are the tools that we have to face the security threats of today and tomorrow. It’s time that you start working with a partner that brings automation and the cloud to bear on the complex problems facing data-driven businesses in retail, healthcare, government service and defense contracting.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.