06 Apr Applications and Systems Penetration Testing
Penetration Testing – Think Websites, Office Network, Email System, Mobile Apps, APIs and more
Penetration testing also known as ethical hacking or pen testing, is the practice of testing an organisation’s digital surface and/or physical assets. In this article the focus is on the former. With the digitalisation era in full swing, companies (irrespective of the size) are heavily investing in the shift towards online thus increasing the touch-points and surface attackers can target. The aim of pen tests is to emulate a hacking attack and find security vulnerabilities and weaknesses hackers could exploit.
The main goal of a penetration test is to identify security weaknesses before a malicious hacker does.
Penetration tests are carried out using a mix of proprietary tools, commonly used scripts and a string of manual actions. Pen tests are generally referred to as white hat attacks because ‘the good guys’ are attempting to break in an organisation’s system or application.
When carrying out a penetration test all the following can be tested: web and mobile (iOS and Andoid) applications, data, runtime, middleware, operating systems, virtualisation, servers, storage and networking. Various forms of configurations are tested ranging from on-premise to infrastructure as a service (IaaS), Platform as a Service (PaaS), and Software as a service (SaaS).
When to plan a penetration test?
A tricky question is ‘How often should you perform a pen test’? If the organisation is operating in the regulated sphere then the regulating body will set mandatory intervals for the tests to be carried out. If not a requisite of a regulatory body most companies carry it once a year. A more rational approach to scheduling these tests is to carry them out when new applications are added, the network infrastructure is updated, security patches are installed, modifications to apps are applied and policies are changed. Cybersecurity should always be factored in a business’ ICT and operations budget to help safeguard the critical digital assets and the digital surface. When a company is conducting its entire business online, (it obviously has more attack vectors!) it becomes more attractive to hackers.
Testing a security policy might not be common practice. A policy can be cross checked and tested – a common weakness which we find out over and over again is that most security policies focus on preventing and detecting an attack but fail to include actions and processes to expel a hacker. Having a full encompassing policy ensures full adherence to compliance regulations.
Regulations and compliance in certain industries such as banking and finance the regulating body would require (by law) that the company performs security tasks including penetration testing.
Our pen testing approach is based on 4 phases, namely:
- Planning – whereby we set the scope of the exercise
- Scanning – in which we simulate the attack and understand how the target responds to the various intrusion attempts
- Gaining and Maintaining access – via a mix of automated and manual techniques (Here attacks such as SQL injection, cross-site scripting and deserialization attacks are carried out. Simulations of vulnerabilities exploits, stealing data, intercepting traffic are executed. Maintaining access refers to the imitation of APT (advanced persistent threats) – long enough inside the system so the attacker gains in-depth access).
- Analysis and Reporting – list of specific vulnerabilities that were exploited, sensitive data that was accessed, and actionable remediation for each vulnerability discovered
Information about the identified security weaknesses are organised in a report, which is provided to IT management. A follow-up re-test and re-evaluation, after holes are fixed, is always recommended.
Common weaknesses we encounter include hard coded values in code-bases, which includes credentials (usernames and passwords). Data encryption is another area which registers a lot of weaknesses. In the case of APIs (Application Programming Interfaces) the most common issue is unsanitized input/s that are susceptible to code injection attacks and insecure direct object references. During pen testing many of the same tools and scripts used by black hat hackers, are utilised.
Commonly, pen testing is also used to improve and augment elements such as WAFs (web application firewalls). Insights provided in the end-report are to be used to fine tune security policies and patch detected vulnerabilities. In summary, Cybergate International carries out external testing, internal testing, black box testing, grey box testing and targeted testing.
Find more information about our penetration testing here