Different Types of Penetration Testing
Before we delve into the different types of
penetration testing, their methods, and what assets they test, it is important to understand
what penetration testing is. Penetration testing is a form of an ethical hacking simulation conducted in accordance with industry guidelines, which aims to closely mimic real-world targeted attacks that organisations face daily. By actively testing your organisation’s defences, you can understand your security posture while also improving your defences, reducing the likelihood of experiencing a cyber-attack, ensuring
confidentiality, integrity, and availability.
What can Penetration tests be perfomed on?
Website Application Penetration Testing
A website application penetration test is an ethical hacking simulation designed to assess your businesses web applications regarding their architecture, design, and configurations. An assessment is conducted to identify any cyber-related risks that could allow any unauthorised access to sensitive data or impact business continuity.
Web applications are an attractive target for cyber criminals as they play such a crucial part in business success. Customers not being able to access your web applications could reduce ROI (return on investment) and impact customer loyalty as they might prefer another consistently available.
To perform the best possible web app penetration test, your business will need a team that hold a deep understanding of the latest tactics and techniques that threat actors are using to compromise business web applications.
Website application Penetration Test methodology
Before the web application penetration test can be started, the penetration testing team will need to understand the scope of the assessment. This includes having a conversation about which specific web applications are to be tested and whether the assessment will be authenticated (log-in credentials are known) or unauthenticated (log-in credentials are unknown).
The tester will use a range of tools in their arsenal to discover any vulnerabilities within the web applications. Following this, should any vulnerabilities be found, the tester will proceed to exploit those vulnerabilities – demonstrating a ‘real world attack’ from a malicious actor.
After the web application penetration test, the tester will produce a custom-written report, detailing weaknesses identified and the follow-up steps to avoid these vulnerabilities being exploited by someone with malicious intent.
Website application Penetration Test Benefits
Internal Network Penetration Testing
Internal network penetration testing is an ethical hacking technique used to simulate a scenario where the attacker will already have internal access to your organisation’s system(s).
The aim of an internal penetration test can be either specific, or general, but will always have the same objective: either take control of as many assets as possible or reach a specific target within the organisation.
As a result, an internal network penetration test will provide a true representation of how vulnerable your organisation might be by identifying what actions can now be performed that the threat actor has access – those potentially being:
- Unauthorised data disclosure
- Data misuse
- Data alteration
- Data destruction
Since the threat actor will have already gained access to your organisation’s system(s), the purpose of an internal network penetration test will be to determine what assets are at risk, how they might be targeted, and what security controls may need implementing or strengthening to avoid future business disruption.
Internal Penetration Test Methodology
The penetration testing team will use a range of tools in their arsenal to discover any vulnerabilities within your businesses network. This toolbox includes a range of automated and manual tools selected specifically to fit around your organisation. Following this, should any vulnerabilities be found, the tester will proceed to exploit those vulnerabilities – demonstrating a ‘real world attack’ from a malicious actor.
Furthermore, if the tester has successfully exploited a vulnerability, then they will attempt to see what they can do from there. For example, if the tester manages to get onto a device, they will see whether they can pivot onto another machine to pass through the network. If the tester successfully bypasses detection and gets into the corporate network, then they will look to see what they can do from there.
The tester continuously aims to escalate their access control and try to get Domain Admin credentials. However, if no vulnerabilities have been discovered (or no vulnerabilities discovered that are worth exploiting) then the tester will conclude the test and begin writing up the report.
The report will detail all the vulnerabilities that have been discovered during the internal penetration test and will endeavour to provide a detailed description of how to remediate that certain vulnerability. If the vulnerability was exploited, the tester will detail how this was exploited and what the result of exploiting such vulnerability was.
External Penetration Testing
External network penetration testing is an ethical hacking technique used to simulate a scenario that examines all aspects of externally facing IP addresses and services that are publicly available such as:
- Identifying misconfiguration with business security controls (such as a firewall)
- Identifying any other vulnerabilities and further exploiting those applications/systems
- Compromising administrative services and interfaces
As this is an external test, all work can be done remotely (compared to an internal pen test) and does not require an on-site engineer. Although this can usually be cheaper, it might not be able to cover all your business’s assets like an internal penetration test can.
An external penetration test will look for any vulnerabilities and will ethically look to exploit them if the tester is comfortable that this will not impact your businesses continuity. If an external hacker gains access to your network, then they can access and modify sensitive personal data and use their access to bring down the network impacting your organisation’s availability.
External network penetration test benefits:
- Gain real-world insight into your security controls
- Identify out of date security controls and patch them
- Reconfigure poorly optimised software, firewalls, and OS (operating systems)
- Identify the most vulnerable asset/route that can be taken to exploit your network
- Understand what data is vulnerable and how a breach impacts your organisation
External Penetration Test Methodology
To achieve this, the tester will use a range of tools in their arsenal to discover any vulnerabilities within the externally facing services. Following this, should any vulnerabilities be found, the tester will proceed to exploit those vulnerabilities – demonstrating a ‘real world attack’ from a malicious actor.
Such as explained for the internal penetration test, the external penetration tester will attempt to see how far they can infiltrate the system. For example, if the tester manages to get onto one of your business’s servers, they will see whether they can pivot onto another machine to pass through the network. If the tester successfully bypasses detection and gets into the corporate network, then they will try to see how far they can go. However, if no vulnerabilities have been discovered (or no vulnerabilities discovered that are worth exploiting) then the tester will conclude the test and begin writing up the report.
The report will detail all vulnerabilities that have been discovered during the test and will endeavour to provide a detailed description of how to remediate that certain vulnerability. If the vulnerability was exploited, the tester will detail how this was exploited and what the result of exploiting such vulnerability was.
Application Testing
Application testing is a simulated security test where software applications and mobile apps are tested using scripts, tools, or any other automation frameworks to identify any vulnerabilities or errors. If any vulnerabilities are found and exploited, sensitive data could be accessible by unauthorised users and can be used to compromise your business continuity.
An application penetration test can assure the security of your application(s). The tester will manually scan for weaknesses in access controls, user permissions and separation, input injection, file upload/download functionality, authorisation, and authentication. It can identify weaknesses that may allow an unauthorised user to use the application in a non-intended manner and provide access to information they are not authorised to view.
Furthermore, application penetration testing can also be used to test an organisation's compliance with security policies, the security awareness of its staff and how effectively it can respond to security threats.
Application penetration testing will enable you to:
- Manage vulnerabilities
- Identify any code or deployment issues
- Avoid extra cost and reputation damage from suffering a security breach
- Provide evidence of compliance with regulatory and certification standards
- Provide stakeholder assurance
A report will be compiled detailing the following:
- Identified vulnerabilities
- Risk levels
- Examples and instructions for recreating the vulnerability
- The data that become vulnerable after unauthorised access was successful
- Mitigation recommendations
Infrastructure Segmentation Testing
Infrastructure segmentation testing will test access from certain network segments that communicate with other network segments. For example, your business may not want Guest users to access your corporate segment of the network.
To achieve the aims of this testing, the pen test team will try to establish rules concerning what access users on certain subnets should and/or should not have. An example base statement would be “Users on the Finance VLAN should not be allowed to access any services that the technical team have access to”.
Once we have the base statements, the tester will connect onto the network segment in question and will attempt to use a variety of tools in their arsenal to see if they can pivot onto segments that they should not be able to.
If the tester was able to get onto a segment that they should not be allowed to, they will detail in a report how they were able to do this and will provide recommendations on how to prevent this from happening in the future.
Social Engineering
What is social engineering?
Social engineering is when a threat actor (a hacker) with malicious intent attempts to exploit human weakness by appearing to be a trusted source and manipulate their access control within the organisation to gain access to personally sensitive information.
Phishing simulations are one example of social engineering.
Social Engineering is not really a form of penetration testing, but forms part of an ethical hacking simulation. But as we have not really spoken much about this topic, we wanted to include it in our post before we go into more detail in the future.
Social Engineering test
An ethical hacking social engineering simulation will help your business evaluate your employees’ susceptibility to social engineering attacks by educating your employees about how social engineering attacks are carried out and implementing and maintaining appropriate security controls - provide a basis on which to highlight issues with operating procedures and to develop targeted staff awareness training.
A social engineering simulation will help you:
- Understand what information is publicly available regarding your organisation
- Evaluate how susceptible your employees are to social engineering attacks
- Determine the quality, readability and effectiveness of your information security policy and your cyber security controls when preventing social engineering attacks
- Develop a targeted awareness training programme
Social engineering penetration test methodology
The tester will discuss your social engineering assessment requirements and define the overall scope of the test. Information concerning your organisation will be collected from publicly available resources.
The tester will try to achieve some sort of access to your business’s hardware and/or software-related assets by attempting to manipulate employees. If access has been achieved, and nobody has noticed, the tester will report their findings regarding the knock-on effect a similar breach may have if a real-life hacker were to take the same approach.
Any weaknesses within the test will be bought to your organisation’s attention and further action such as running team workshops (training and awareness) can be taken to improve employee knowledge and avoid any further unauthorised access.
Conclusion
As you can see, there are many different penetration testing methods that can be carried out against your business. They all have their own unique benefits and should be carried out annually, as a minimum requirement, to ensure continuing business compliance. We understand that penetration testing may seem to be a daunting task, but rest assure we can help. If you are worried about your business's security posture, then please do get in touch.
Follow Us
Be the first to know
You might also like
