Principles & Objectives of Pentesting - Chrono's Cyber Chronicles

# Principles of Pentesting ## What is Penetration Testing - Penetration testing is a type of security testing that evaluates an organization’s ability to protect its infrastructure such as - Network - Applications - Systems - Users - Against - External threats, and - Internal threats ## Benefits of Conducting a Pentest ## Penetration Testing Process - Pre-Engagement - Intelligence Gathering (Reconnaissance) - Threat Modeling - Vulnerability Analysis - Exploitation - Post Exploitation - Reporting (& Cleanup) ## PaaS (Pentesting as a Service) Delivery Models: Conventional vs. Next Gen - **In-house Penetration Testing** ◦ Organizations have a dedicated penetration testing team in place. ◦ This team is continuously engaged in in-house pen testing assignments. - **Outsourced Penetration Testing Service** ◦ These are the “at a point in time” penetration testing services provided by third-party penetration testing consultancies. ◦ Organizations outsource their penetration testing assignments to these third-party penetration testing consultancies to evaluate the security of their organization. - **Penetration Testing as a Service** (PTaaS) ◦ It is a cloud service that provides penetration testing along with the resources needed to conduct at-a-point- in-time and continuous penetration tests. - **Crowdsourced Penetration Testing Services** ◦ It is an open-ended pen testing assignment in which pen testers worldwide attempt to determine the vulnerabilities in a target environment. ## ROI for Pentesting *ROI = (Expected Returns - Cost of Investment)/Cost of Investment* - Penetration testing helps companies in identifying, understanding, and addressing any vulnerabilities; this saves them a lot of money, resulting in a good ROI. - Demonstration of ROI is a critical process for the successful “sale” of a pentest. - ROI for a pentest is demonstrated with the help of a business case scenario, which includes the expenditure and involved profits. - Companies spend resources on a pentest only if they have proper knowledge of its benefits ## Comparison of Audit, Vuln. Assessment, & Pentesting - Security Audit - A security audit checks whether an organization follows a set of standard security policies and procedures. - Vulnerability Assessment - A vulnerability assessment focuses on discovering the vulnerabilities in an information system but provides no indication of whether the vulnerabilities can be exploited or of the amount of damage that may result from the successful exploitation of the vulnerabilities. - Penetration Testing - Penetration testing is a methodological approach to security assessment that encompasses a security audit and vulnerability assessment, and it and demonstrates whether the vulnerabilities in a system can be successfully exploited by attackers. ## Key Points - Penetration testing should not be simply ticking check boxes to meet security requirements. - Vulnerability scanning should be a part of a pentesting program but is not a substitute. - Penetration testing focuses on achieving **goals** and not on finding vulnerabilities. ## Types of Penetration Assessment - Goal-oriented - Compliance-oriented - Red-team-oriented ### Goal/Objective-Oriented P.T. - Type of assessment driven by goals. - Objectives defined, rather than defining scope. - Goal is defined before it begins. - The job is to check whether the goal can be achieved and different ways to achieve said goal - Examples: - Gain remote access to an internal network - Gain access to credit-card information - Gain domain administrator access - Create a denial of service (DoS) condition against a website - Deface a website ### Compliance-Oriented P.T. - Driven by compliance requirements. - Made to adhere to compliance requirements. - Entails conducting an assessment against the compliance against standards, frameworks, laws. - Organizations may ask to check their PCI-DSS compliance. ### Red-Team P.T. - An adversarial goal-based assessment in which the P.T. acts with the behavior of a real attacker. - Has no specific driver (goal etc.) - Organizations usually ask to assess people, networks, applications, physical/social security. ![[image-270.png]] ## Strategies of Pentesting - Pentesting strategies - Black box - White box - Gray box - Each strategy takes a different approach for assessing the security of an organization's infrastructure. ### Black-box P.T. 1. Black-box testing assumes that the pen tester has no previous knowledge of the infrastructure to be tested. 2. The tester has limited information about the target company. 3. The pentest must be conducted after extensive information gathering and research. 4. This test simulates the process of real hacking and gathers publicly available information such as domain and IP addresses. 5. A considerable amount of time allocated for the project is spent on discovering the nature of the infrastructure and how it connects and interrelates. 6. It is time-consuming and expensive #### Black-box P.T. Types - Classified as follows: - Blind Testing: - Simulates the methodologies of real hackers. - Limited or no information provided to penetration. testing team. - Time consuming and expensive process. - Double-blind Testing: - Few people know about the test being conducted. - Even IT does not know about it. - To test how they react. - Involves testing of the monitoring, incident identification, and response procedures. ### White-box P.T. - The tester is given complete information on the infrastructure to be tested. - This test simulates the process of a company’s employees. - It helps in revealing bugs and vulnerabilities more quickly. - It provides assurance on complete testing coverage as the tester knows what exactly to test. ### White-box P.T. Types - Classified as follows: - Announced Testing: - Unannounced Testing: ### Grey-box P.T. 1. This test is a combination of black-box and white-box penetration testing. 2. In a gray-box test, the tester usually has limited information. 3. Security assessment and testing are internally performed. 4. It tests applications for all vulnerabilities that a hacker might find and exploit. 5. It is performed mostly when a penetration tester starts a black-box test on well-protected systems and finds that a little prior knowledge is required to conduct a thorough review. ## Cost & Comprehensiveness ![[image-271.png]] ## Selection of Appropriate Testing Methods 1. The specific strategies of test should be selected based on the demand, goal, time, and resources available. 2. A black-box test is performed toward comprising the security of an organization by mimicking the actions of a real-world attacker. 3. However, white-box or gray-box testing can be useful when considering their advantages in terms of the time and resources available to the tester. 4. Careful test planning and understanding of testing constraints are required when limited time and resources are available for conducting the test. ## Different Methods of P.T. - Automated P.T. - Automated penetration testing is performed with the help of various commercial or open-source penetration testing/security assessment tools. - Run automated tools or scripts. - Manual P.T. - Manual penetration testing is performed by an individual or a group of individuals who are experts in penetration testing. - Run tools one by one yourself. ## Selecting the Appropriate Method of P.T. - Automated tools cover 45% of known vulnerability types, while the remaining 55% requires manual intervention. - Ideal P.T. is one that uses automated tools but led by human insight and intelligence. - Manual intervention also reduces the number of false positives generated in automated testing results. ## Common Areas of P.T. - Network - Web App - Social Engineering - Wireless Network - Mobile Device - Cloud - ...and more! ### Network - Helps identify security issues in network design and implementation. - Common network security issues: - Use of insecure protocols. - Unused open ports and services. - Unpatched operating system (OS) and software. - Misconfiguration in firewalls, intrusion detection system (IDS), servers, workstations, network services, etc. ### Web App - Helps detect security issues in web applications due to insecure design and development practices - Common web application security issues: - Injection vulnerabilities. - Broken authentication and authorization. - Broken session management. - Weak cryptography. - Improper error handling. ### Social Engineering - Helps identify employees who do not properly authenticate, follow, validate, and handle processes and technology. - Common behavioral issues in employees that can pose serious security risks to the organization: - Clicking on malicious emails. - Becoming a victim of phishing emails and phone calls. - Revealing sensitive information to strangers. - Allowing unauthorized entry to strangers. - Connecting a USB device to workstations. ### Wireless - Helps identify misconfigurations in wireless network infrastructure. - Common security issues in wireless network infrastructure: - Unauthorized/rogue/open access points. - Insecure wireless encryption standards. - Weak encryption passphrases. - Unsupported wireless technology. ### Mobile Device - Helps detect security issues associated with mobile devices and their use. - Common security issues with mobile devices: - No implementation or improper implementation of the bring your own device (BYOD) policy. - Use of unauthorized mobile devices. - Use of rooted or jailbroken mobile devices. - Weak security implementation on mobile devices. - Connection with insecure Wi-Fi networks. ### Cloud - Helps identify security issues in cloud infrastructure. - In addition to conventional security issues, cloud services have the following cloud-specific security issues: - Insufficient protection to data at rest. - Network connectivity and bandwidth problems as per minimum requirement. - Poor user access management. - Insecure interfaces and application programming interfaces (APIs). - No privacy for users’ actions in the cloud. - Security threats from inside the organization. ## P.T. Process ![[image-272.png]] ## P.T. Phases ![[image-273.png]] # Pentesting Methodologies & Frameworks Slides 40-50 # Best Practices & Guidelines for P.T. Slides 51-68 # Role of AI in P.T. Slides 69-76