Penetration Testing

What is a Penetration Test?

A penetration test, also known as pentest, is a simulation of a hacker attack on a network, system, application or website, used to discover existing vulnerabilities and weaknesses before hackers find and exploit them. In other words a penetration test is an independent security evaluation of your IT infrastructure. Despite some popular belief, penetration testing is very different from vulnerability scanning. Instead of simply trying to identify vulnerabilities through fast and automated manners, a pentest is far more realistic and deeply relies on manual Ethical acking concept. It is also more comprehensive than cheap vulnerability scanning as it addresses several important security aspects, such as the exploitation process and privilege escalation phases, as well as the steps involved into maintaining access to the targeted infrastructure. At igh!Tech "ridge, we really think that nowadays only an offensive security approach can bring you the certainty to be well protected against hackers.

Types of Penetration Tests

#enetration tests can be divided into three different groups$

Internal Penetration Test External Penetration Test Hybrid Penetration Test

Internal Penetration Testing

Internal penetration testing, also known as internal pentest, focuses on threats and risks surrounding internally connected systems, should them be related to an inside attacker or to a corporate computer which is remotely used by an external hacker to reach sensitive company%s assets without facing its perimeter defenses. The most demanded modules of internal penetration test include the following$

Client-Side pplications ttac!

&lient'(ide applications attacks combined with social engineering are very efficient and complex to detect. The module verifies resistance of the application layer )e!mail clients, browsers, and office and #D* programs+ within local user!machines to a large number of application attacks.

Tro"an Horse ttac!

Tro,an horse remains one of the most used and successful attacks today. Attacker keeps full control over compromised machine, stays invisible and can do whatever he wants inside of the system. This module of internal penetration test will check your firewall and ID(-I#( capabilities to identify and block Tro,an horses and backdoors, as well as local security of user!machines.

#alicious E$ployee ttac!

This module simulates behavior of a malicious employee who has a privileged access to a number of local IT resources, or who is trying to escalate his privileges and access rights. .og!management systems, behavior!based ID( and I#( will be carefully tested, as well as user rights segregation and access!level control.

Social Engineering and Phishing

/aive or deceived employee can cause serious damage to your information system, by opening doors and granting unauthori0ed access to malicious persons. igh!Tech "ridge experts will test psychological skills, respect of corporate security policy and procedures during the (ocial Engineering module of internal penetration testing.

#alicious or %nauthori&ed Content

1alicious or unauthori0ed content module tests if content filters of your information systems )email, web and others+ are correctly blocking all the malicious or unauthori0ed content in conformity with corporate security policy and security best!practices.

External Penetration Testing

External penetration testing, also known as external pentest, covers security surrounding publicly exposed systems. It consists in assessing information systems security from the perspective of an outside attacker. (ince systems can be directly targeted from outside external threats pose a clear danger to any company, even small businesses regularly suffer from blind attacks on a daily basis. 1ost popular modules of external penetration testing are$

'#( ) *ront-Side ttac!s

*ront!(ide attack module verifies security of servers and services exposed to the Internet. Database servers, 2eb servers, 1ail servers, *ile (ervers, D/( servers and 3#/ servers are the most popular systems accessible by anybody from the Internet, therefore the most targeted by hackers. igh!Tech "ridge experts will launch many different remote attacks on your *ront!(ide in order to identify all existing risks.

Web pplication ttac!s

2eb Application penetration test module checks the resistance of your corporate website or web!based application to a large number of web attacks, which become more and more popular and easy!to!execute today. 2eb!based attacks permit to discover improper user input validation that is passed to web application, authentication, authori0ation, encryption and other logic flows, which could result in unauthori0ed access, credentials and identity theft or privilege escalation within TT#- TT#( portals, for example an e! banking system.

War 'ialing ) P +, ttac!s

2ar Dialing module permits to ensure security of corporate telecom infrastructure. It consists of scanning telephones and 3oI# entry points and looking for available resources that hackers can attack in order to gain unauthori0ed access to various telecom services )modems, #A"4 and voicemail systems+. Telecom vulnerabilities exist for a very long time, however still represent an easy way to break into many networks and might result in expensive abuse of telecom services.

Physical Security
#hysical security is 5uite often ignored in corporate security architecture and remains one of the weakest points of IT infrastructure today. #erfectly protected server is vulnerable if physical access to the server!room is not secured, controlled and restricted. #hysical (ecurity module will perfectly complete your IT security assessment process.

Hybrid Penetration Testing

Today penetration testing is not only limited by internal and external attacks, but indeed involves sophisticated mixed!types of attacks, which represent a combination of local and remote vectors. ybrid penetration testing usually includes the following modules$

ttac!s fro$ Trusted -et.or!s

If one of your business partners, customers or suppliers is compromised, hackers can try to penetrate into your system from trusted networks having more rights and fewer restrictions than everybody. This module of hybrid penetration test will simulate various attacks coming from allegedly trusted network resources and systems.

ttac!s on Wireless -et.or!s

2i!*i, "luetooth and I6 devices are being more and more used in business processes. 1ore and more sensitive and highly confidential information is transmitted over wireless networks, opening new opportunities for hackers. 2ireless penetration testing will simulate multiple types of attacks against this broadly used technology, such as ,amming or encryption attacks.

ttac!s on S$art phones

1obile phones and (mart phones are broadly used in corporate business today. ackers are discovering new opportunities of industrial espionage and blackmailing by compromising and tro,aning (mart phones. (mart phone penetration test module will help you to identify risks related to you corporate mobile devices.

/ost or Stolen Portable 'evices

In many cases lost or stolen laptop or #DA opens unlimited access to the entire corporate IT infrastructure. 2ith the recent growth of +01' )"ring 7our 8wn Device+ practice, risk of disappeared mobile device is very high. This penetration testing module will simulate malicious activity with a corporate mobile device in order to verify data encryption, system blockage in case of theft and device tracing measures.

Penetration Testing #ethodologies

A penetration test can be performed by one of these three methodologies$

+lac! +ox Penetration Test

A long time ago, the "lack "ox approach initially referred to external penetration testing. Auditors were then supposed to remotely assess the network infrastructure without being aware of any internal technologies deployed in the targeted infrastructure. /owadays, this term does not restrict anymore to external penetration testing, but indeed implies that auditors do not have access to any internal information. A D19 assessment usually falls in this category. "esides its realistic aspect, this approach may also be advised to companies which are willing to verify the IT department%s response and countermeasures to the attack, as only the key figures in the company may be aware of the underlying intrusion test.

2ray +ox Penetration Test

This approach implies that auditors have a limited knowledge of the internal infrastructure. (uch an approach may complete a "lack "ox assessment and reveal vulnerabilities and weaknesses among specific components. *or example, a corporate web application may first be globally assessed without prior knowledge, before facing attack simulations from an auditor who would be given credentials to access restricted area. :rey "ox approach would therefore permit to take into consideration attacks initiated by an illegitimate user, as well as from a trusted user who may have himself been abused or compromised.

White +ox Penetration Test

The 2hite "ox approach initially described internal penetration testing. Auditors were then supposed to be aware of all internal technologies within the targeted infrastructure. The term has also evolved, and today it describes all penetration tests performed while auditors have unrestricted access to any information related to internal resources. A source code review typically belongs to white!box security assessments category. "esides its comprehensive aspect, this approach especially suits company needs when its IT department fully cooperates with the penetration testing team. As target scoping and information gathering phases are not re5uired, this approach also decreases the intrusion test overall time, and therefore its price.

Despite the 2hite "ox approach could be considered the most complete method, its conditions remain far from most common real!world attacks. In the other hand, the "lack "ox approach is more complex and less comprehensive, but indeed relies on very realistic methods. "eing a combination of 2hite "ox and "lack "ox, the :rey box

approach may sometimes be very attractive. Anyway, each company should choose the most appropriate method according to its particular business needs and desired results.

Penetration Testing Standards

igh!Tech "ridge security experts use world!recogni0ed penetration testing standards, as well as igh!Tech "ridge%s proprietary methodologies and know!how based on our information security research, among which$

/PT ).icensed #enetration Tester methodology from E&!&ouncil+ 1STT## )8pen (ource (ecurity Testing 1ethodology 1anual+ 1W SP )8pen 2eb Application (ecurity #ro,ect+ ISS * )Information (ystems (ecurity Assessment *ramework+ W SC-TC )2eb Application (ecurity &onsortium Threat &lassification+ PT* )#enetration Testing *ramework+ 1ISS2 )Information (ystems (ecurity Assessment *ramework+ -IST SP344-556 )Technical :uide to Information (ecurity Testing and Assessment+

igh!Tech "ridge%s penetration test reports are indeed a must have material for most well!known co$pliance standards7 such as8 IS1)IEC 9:44589446 ;Infor$ation Security #anage$ent Syste$s< IS1)IEC 9:44989446 ;Code of Practice for Infor$ation Security #anage$ent< IS1)IEC 9:44689443 ;Infor$ation Security =is! #anage$ent< PCI 'SS v9>4 ;Pay$ent Card Industry 'ata Security Standard<

Penetration Test =eport

%pon co$pletion of penetration test High-Tech +ridge security experts .ill provide you .ith a detailed penetration test report containing a full list of discovered vulnerabilities and .ea!nesses7 .ith reco$$endations on ho. to fix the$> The report is divided into t.o parts8

Penetration Test =eport for #anage$ent and Shareholders8

o

/ist of discovered threats and ris!s .ith their direct and indirect i$pact on co$pany business processes7 ordered by priority and gravity> Proposed solutions .ith esti$ation of cost and ti$e of installation and integration>

Penetration Test =eport for IT 'epart$ent8

o

'etailed technical description of all vulnerabilities and .ea!nesses discovered during the test7 .ith CWE-I' and C?SSv9 +ase Score for each vulnerability> =eco$$endations on vulnerability patching and re$ediation>

%pon delivery of penetration test report our experts .ill be pleased to assist you in vulnerability patching>

@uestions a Penetration Test Will ns.er

Penetration test perfor$ed by High-Tech +ridge .ill tell you if you are efficiently protected against hac!ers7 and .hat the next steps to ta!e to $ini$i&e the ris!s to your business> It .ill indeed provide you .ith a clear ans.er to the follo.ing Auestions8

re your corporate net.or! and infor$ation .elfare .ell protected? Can you trust your current security solutions and intrusion prevention syste$s? What are the $ost relevant IT ris!s for your business today? Ho. can you i$prove your security and protect your business assets today? Ho. can infor$ation security be used as an invest$ent to your corporate i$age?

It is i$possible to verify ho. an airbag in your car .or!s .ithout inducing a car accident> Ho.ever7 if the airbag does not .or! during the accident it .ill be too late to do anything>

There is a similar concern in information technology$ if you don;t check behavior of your security solutions under real hacker attack conditions, you cannot be sure of their efficiency.