How Does Penetration Testing Work?
Penetration testing is one of the more popular services offered when it comes to cybersecurity prevention. This post reviews what you can expect with an external penetration test.
What is a Penetration Test?
Penetration testing is the process of evaluating the critical weaknesses and implementation of security controls for information systems, networks, and applications by simulating real-world attacks. Regular penetration testing is intended to identify weaknesses in security measures and is one component of a comprehensive cyber security program.
What are the Objectives of a Penetration Test?
The objectives of the penetration testing initiative are as follows:
- Reduce organizational risk: Penetration testing will identify vulnerabilities and exploits in the Customer’s information technology assets. Testing analyzes operating systems, applications, and services for means that a malicious attacker may exploit to gain access to your critical systems, and data.
- Test your security effectiveness: PIRC cyber security analysts will work with your team to evaluate the effectiveness of your defensive controls.
- Prioritize remediation actions based on real-world attack potential.
Penetration Testing for Regulatory Compliance:
Our penetration testing services are congruent with the following regulations:
- HIPAA §164.308(a)(1)(ii) (A)
- PCI Requirement 11.3.1 & 11.3.2
- DFARS / NIST SP 800-171 Requirement 3.12.1
- Gramm-Leach-Bliley Act §501(b)
- New York State Department of Financial Services 23 NYCRR 500500.05(a)(1)
- Federal Trade Commission 16 CFR Part 314 §314.4
Our Penetration Testing Methodology
Based on the globally recognized NIST SP-800 115 standard for information security testing, our penetration testing services will identify weaknesses, vulnerabilities, and exploits in information systems, networks, and applications. Our penetration testing services are conducted in five (5) phases as follows.
Rules of Engagement
Your engagement will start with a project kick-off meeting. During this meeting, a PIRC security analyst will review and establish the rules of engagement for the testing. These rules outline parameters for the analysts performing the test.
- Define what systems are in-scope. This minimally includes in-scope Internet Protocol (IP) addresses.
- Identify whether any in-scope systems require additional notification to third-party hosting providers such as Amazon or Azure.
- Identify the organization’s primary domain name(s). Testers use this information to hunt the public internet for information that an attacker could use against your organization.
- Identify any detective or preventative controls to be evaluated during testing such as IDS/IPS or web application firewalls.
- Identify critical assets and targets that matter most to your business.
- Identify points of contact including names and phone numbers from both the tested and testing organization.
- Define any approved and prohibited actions such as brute-force login or denial-of-service attempts.
- Define scheduling and logistics, such as concerns around sensitive devices or applications.
Hear From Industry Experts
Read the latest tips, research, best practices, and insights from our community of expert B2B service providers.
The goal of reconnaissance is to find areas of weakness within the tested environment. The PIRC Cybersecurity Analyst(s) will attempt to exploit these weaknesses in the next project phase.
During reconnaissance analysts perform the following standard actions:
- Vulnerability discovery and assessment. Cybersecurity analyst(s) will seek out open, unpatched, or otherwise vulnerable ports and services.
- Active private system discovery from segmented guest networks
- Unauthenticated web application vulnerability reconnaissance, if applicable
- Passive internet reconnaissance for organizational data such as peoples’ names, names of systems, and email addresses.
- Passive internal reconnaissance of network communications and traffic content
- DNS reconnaissance
- Attack planning and execution
This phase is where active exploitation attempts are carried out. PIRC cybersecurity analysts will attempt to gain unauthorized access to systems and private information. Analysts also try to move laterally through the network, attempting to elevate privileges and jump from system to system wherever possible.
Keep in mind that the cybersecurity analyst(s) may create accounts, inject malicious processes, or take other steps that may result in configuration changes, artifacts, or short-term disruption within the environment. A log of this activity will be maintained so any backdoor accounts or processes can be assured to be removed after testing.
During this phase cybersecurity experts will be focused on:
- Analyzing reconnaissance data and determine if there are exploitation methods available
- Establishing potential attack chains, and attack plans for critical assets
- Attempting exploitation of vulnerabilities, configuration flaws, and employee awareness
- Generate attack traffic required to evaluate controls identified during rules of engagement
Analysis and Documentation
All data collected during testing is analyzed from the perspective of a real-world attack. Findings are scored and prioritized for remediation based on a matrix analyzing the potential damage and exploitability of the attack.
Presentation and Close-out
Our cybersecurity experts will share all findings with you and transfer the knowledge required to improve your organizational IT security.
- Reporting by cybersecurity analysts includes prioritized exploitation vectors and remediation recommendations focused on opportunities to mitigate the problems with the highest impact
- A high-level executive summary focused on key recommendations will be presented along with a detailed technical review
- A vulnerability workbook will be included which can be used by the tested organization to track the progress of remediation efforts