Understanding Penetration Testing

Penetration testing (also known as pentesting) involves the use of a variety of manual and automated techniques to simulate an attack on an organisation’s information security arrangements. The test is performed to identify vulnerabilities which can be exploited by unauthorized parties to gain access to the system's data and controls. It is conducted by qualified and independent penetration testing experts, sometimes referred to as ethical or white hat hackers.
A quality penetration test can uncover most of the technical security weaknesses and provide you with the information and support required to remove those vulnerabilities. A robust pentesting programme actively reduces the risks of any data breaches, financial frauds and ensuring compliance with information security standards. That’s critical for ensuring your consumers trust your brand. It reduces your ICT costs over the long run by reducing support calls and thwarts a critical risk to the existence of a business. Web and mobile applications account for more than 30% of all data breaches with nearly 80% of all web applications containing at least one vulnerability upon first assessment. Attacks on applications are growing faster than 25% annually.
The two most common types of penetration testing are
  1. Application penetration testing which involves finding vulnerabilities in web and mobile applications and;
  2. Network penetration testing which involves detecting vulnerabilities in servers, firewalls, wireless network and other networking equipment. It can be further classified into External Network Testing and Internal Network Testing.
  1. Black box testing is where no information is provided to the penetration tester since it is designed to simulate external attacks where an attacker has no prior knowledge of the target environment.
  2. Grey box testing is where limited information like login credentials are provided to the tester as it is designed to simulate an attack by an insider or someone with privileged knowledge of the target environment.
  3. White box testing is where complete information is provided to the tester in order to identify as many vulnerabilities as possible.
Automated penetration testing is conducting the basic vulnerability scans of a specific application or network. It is conducted using some automated penetration testing tools like Nessus, Metasploit, OpenVAs, Nmap, Backtract etc. Running such scans does not require tremendous expertise and a security engineer with decent experience can conduct a reliable scan. Automated scanning is a low cost way of discovering basic vulnerabilities and is not enough to ensure that an application is thoroughly tested. Hacking attacks are fairly advanced these days and a simple automated scan is no match for them.
Manual penetration testing is conducted by human beings with years of penetration testing experience under their hat. Their skill level is far higher than an automation tester as it requires an intricate knowledge of programming and networking along with creativity of thought for simulating a real life attack. For example a Cross Site Request Forgery (CSRF) or business logic vulnerabilities is very difficult to detect through automation tools as it requires a series of creative set of steps to be executed by a security expert in a certain context. Only a manual penetration test can provide identification and validation of such vulnerabilities.
Automated scans cannot detect a large number of vulnerabilities, especially the ones exploited by hackers to gain access into a system. Only a thorough penetration test can detect such known and unknown vulnerabilities. There are a lot of companies selling automated scanning as penetration testing and one should be beware of companies. Also a low cost automation scan provides a false sense of assurance to the management that they are secure leading to gaping holes in their security assessment.
Vulnerability can either be a coding bug or a flaw in software architecture and controls that can be exploited to cause a security breach. A vulnerability assessment is an evaluation process used to identify and assign severity levels to as many security defects as possible in a defined time-frame. It may involve automated and manual techniques with varying degrees of complexity while ensuring a comprehensive assessment. A typical vulnerability assessment targets different layers of technology, like the application and the network layer.
Vulnerability assessment is the use of automated scanning tools to identify known common vulnerabilities in a system’s security configuration. It is a non-exploitative test as it just reports the detected vulnerabilities with no attempt to actively exploit them. Vulnerability assessment is used to validate the minimum level of security that should be applied before a more specialised penetration test can be conducted. A penetration test is the simulation of a real world attack to demonstrate and validate actual exploitable vulnerabilities. It is conducted manually as it is intended to go much further than the generic responses, false positive findings and lack of depth provided by automated application scanning tools.
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. OWASP is a reputed open-source platform focused on cyber-security. OWASP Top 10 report is put together by a team of security experts from all over the world. The latest application OWASP Top 10 security vulnerabilities were released in 2017 and are the following:
A1 Injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 XML External Entities
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross Side Scripting
A8 Insecure Deserialization
A9 Using components with known vulnerabilities
A10 Insufficient Logging & Monitoring
Every company that is connected to the web and has an online presence should undertake a penetration test of exposed applications and network at least once a year. However, the severity of risk that an organisation faces on account of data breaches or financial frauds should determine both the urgency and frequency of penetration tests.
Vulnerability is the state of being open to injury or attack. There can be no appropriate time to improve your security as managing risks involves a great deal of uncertainty. Top CXO’s of even the Fortune 500 companies are having sleepless nights due to the emergent threats that cyber-attacks pose in a digital economy. One can answer succinctly “A stitch in time saves nine”. However, you should not go for a penetration test till the time your organisation has already implemented the required level of basic security controls such as firewalling, malware protection and network patching.
Keep the following factors in mind while deciding the target environment:
  1. How critical is a specific system to your organization and the business impact it would create if the system is compromised
  2. Regulatory and compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) for payment platforms
  3. Major business or IT changes which can have a significant impact on the threat profile of your organization
  4. Critical systems undergoing software development
  5. Outsourced applications or infrastructure like cloud services
  6. Any security requirements assessed by the management of your organization
Penetration testing requirements should specify:
  1. The scope of the test
  2. Any exclusions that shall not be a part of the scope for e.g. DoS attacks
  3. Frequency of testing (one time or periodic)
The challenges associated with planning a penetration test are:
  1. Establishing a business case to the Management for a test to be undertaken
  2. Deciding the scope and target environment
  3. Identifying what type of penetration testing is required
  4. Managing risks associated with potential system failure
  5. Fighting complacency once a penetration test is completed and vulnerabilities remediated.
  6. Finding a good penetration testing partner within the budget
Information security mandates an integrated focus on all the three elements of security i.e. People, Processes and Technology. A penetration test covers just the target environment that has been selected and focuses on discovering vulnerabilities in the technical infrastructure. Further, the quality of a penetration test is highly dependent on the capabilities and experience of the penetration tester as a low quality test can leave several critical vulnerabilities undiscovered.
Key risks while performing a penetration test can be:
  1. Impact on the availability and performance of the live systems
  2. Data breach of confidential information
  3. Compromised integrity of the information
Steps one can take to mitigate key risks in a penetration test are:
  1. Carry out methodical planning in advance
  2. Prepare a clear definition of scope
  3. Formulate escalation procedures for resolving problems quickly
  4. Hire a capable penetration testing firm
Pentesting needs to be performed on a regular basis in order to ensure that newly discovered vulnerabilities are detected before any potential attacker exploits them. However, regulatory and compliance standards might mandate a more specific periodic testing schedule. You can schedule a test depending upon the following factors:
  1. New changes to network infrastructure
  2. New applications or servers are deployed
  3. Significant upgrades or modifications to infrastructure or applications
  4. At new office locations
  5. Any company that is acquired
  6. After every major security patching to confirm plugging of vulnerability
Following remediation actions should be taken to fix identified vulnerabilities:
  1. Prepare a remediation plan taking into account the severity ratings or the vulnerabilities.
  2. Execute quick fixes immediately like patching systems, closing ports and preventing traffic from particular IP addresses
  3. Report weaknesses to relevant third party organisations, if required
  4. Make requisite changes to security policies based on the inputs provided in the report
  5. Conduct a retest once the flagged issues are fixed.
Red Teaming is an adversarial goal-based assessment that simulates a real world attack into your organization’s assets. A Red Team will not only focus on just your web application/network but create composite attack scenarios to somehow compromise a system. Quality Red Teams take an intelligence led penetration testing approach to thoroughly test an organization’s security defense.

 

PentestO’s Services and Engagement Model

  • Web Application Penetration Testing
Web Applications are highly susceptible to hacking as modern applications entail use of multiple technologies leading to an enormous attack surface. Most development teams are pressed to meet deadlines with little time to perfect an attacker's mindset. Coupled with movement towards cloud based services, integration with Internet of Things (IoT) and several API's and Software Defined Networking (SDN) are making security a daunting task that needs trusted external help.
  • Mobile Application Penetration Testing
With the advent of mobile revolution, most consumer focused businesses are using mobile apps in a compelling way to connect with their customers directly. Such a connect entails a huge business risk for the Company due to sensitive customer data handling and potential for financial frauds. With a slew of vulnerabilities being discovered everyday, continuous risk assessment of mobile apps has become a business necessity today.
  • Network Penetration Testing
Networks are highly vulnerable to Denial of Service (DoS), Man in The Middle (MiTM), Snooping and De-Authentication attacks. An expert penetration tester does not only use a vulnerability scanner but digs deep into one's experience to manually test and discover critical vulnerabilities. Let our testers get them for you.
  1. Pre-engagement Phase: We will provide a free quote/assessment for our testing service that you are interested in. If desired, we sign an NDA as well. Only an indicative Scope of Work is provided in the Quote. Based on the Quote, the Client can issue us a Letter of Award, along with the necessary permissions.
  2. Engagement Phase 1: Discussions are held with the management to plan and conduct the test as per the mutually agreed schedule. A short technical report may issued within 24 hours of the conclusion of penetration testing, in case the issues identified are deemed critical and urgent by PentestO.
  3. Engagement Phase 2: A detailed report, as per the agreed Scope of Work, shall be submitted within 1 week (7 calendar days) after the conclusion of Phase 1. Client needs to make the complete payment within 1 week after the submission of the detailed report.
  4. Post engagement Follow-up: In case the Client desires, a free retest is provided to the Client as per a mutually agreed schedule. Free retesting is restricted to the issues identified in the report and can be availed anytime upto 4 weeks after the submission of the detailed report.
 
Scope of Work element Considerations
Definition of target environment
  • Which systems are in and out of scope
  • Whether white, grey or black box testing approach is being adopted
  • Types of test that are prohibited like a denial of service attack
  • Location of the testing team
  • Approvals required from the Client before testing
Network or web application firewalls deployed
  • Who will be leading the testing engagement
  • The names of testers that will be used for the testing engagement, with details about their roles, skills, experience, qualifications and backgrounds
  • The number of days required for testing along with the dates
  • Defined testing times and locations
Report requirements
  • The format of the test report
  • Date of delivery of the test report
  • Mode of delivery of the test report
Communication processes
  • Information and resources that the testers will need prior to testing
  • How affected third parties will be informed and consulted in relation to the testing activities
  • How testing start-up and close-down will be covered
Liabilities of both parties
  • Steps required by both parties should any issues arise
  • Details of liability of both the parties
Follow up activities
  • Any retesting needed once mitigations have been made for the discovered vulnerabilities (only once)
The following pentesting methodology shall be followed:
  1. Information Gathering: In this stage we perform a detailed reconnaissance about the application, its architecture, features and security controls. Certain inputs are also sought from the technical team in cases of grey/white box testing. As much intelligence as possible is collected from public sources like the following:
  • WHOIS
  • Github
  • Pastebin
  • DNS
  • Web forums
  • Email addresses
  • Search engine recon
Network Mapping and Service Enumeration is performed for the in scope addresses to extract any useful information.
  1. Planning and Analysis: Based on the information collected we devise a full scale “Red Team” approach to mimic real time attacks. Attack is planned on a test environment or during times of lowest network activity in order to minimize any impact on the performance of the target system.
  2. Vulnerability assessment: In this stage, we run vulnerability scanners to look for possible and common vulnerabilities related to the platform, APIs, technology framework etc.
  3. Manual penetration testing: Here we run exploits on the application to evaluate its security. We use custom scripts, open source exploits and in-house tools to achieve a high degree of penetration. Discovered services are manually and safely tested or exploited to confirm if they are vulnerable. Exfiltration is attempted on successfully compromised machines (scope permitting) and user privileges are escalated to admin root. Screenshots of account privilege level or discovered data are taken as evidence.
Pivoting is attempted on compromised machines to route traffic and access the internal network or network subnet. This demonstrates the risk of a potential breach and how far an attacker may get within the target companies network.
  1. Reporting: All discovered security findings are documented in severity ordered report with clear concise remediation instructions and their associated risk and impact.
  2. Discussions and Retesting: Our technical team is available for any required support or discussions for a cumulative time of 5 hours, if required. All our testing services come with free retesting on reported findings.
PentestO’s strength lies in performing manual penetration testing. Our security experts have spent years exploiting vulnerabilities leading to a skill set that is precise, powerful and thorough. We follow a standard where automated scanners are used for up-to 20% of the testing time and while the rest 80% of the time is spent testing manually.
We follow Open Web Application Security Project (OWASP) standards for pentesting. OWASP is an international non-profit organization dedicated to information security.
The tools used for a test are highly dependent upon the type of penetration test being conducted. Some of the tools that we use are Burpsuite, Metasploit, Nessus, Nmap & Retina. Our toolkit is constantly reviewed and updated in order to ensure that we meet the latest information security standards and vulnerabilities.
PentestO endeavors to complete a penetration test within one to two weeks after signing an engagement. If your circumstances require an expedited test, please don’t hesitate to contact us.
We use OWASP exploitation frameworks and experience based exploits to actually penetrate the target system. Some techniques used for exploiting vulnerabilities can be:  
Technique Description
Exploitation Use discovered vulnerabilities to gain unauthorised access to the target
Privilege Escalation Gain further access within a target, once an initial level of access has been obtained
Advancement Try to advance from the compromised target to other vulnerable systems
 
We issue a formal report for all of our services which provides the findings from our test as well as any recommendations regarding remediation. All reports are issued in an electronic format like PDF. Report usually takes 1 week after the penetration test is complete though we can expedite issuance of reports upon advance request.
Essential elements covered in the report shall be:
  1. A detailed technical report on the identified vulnerabilities
  2. Outcome of the identified vulnerabilities in business terms
  3. Remediation recommendations and a security improvement action plan
Final severity of a risk is determined by the impact an identified vulnerability can have on the business and the likelihood of that vulnerability being exploited by a hacker. In mathematical terms:
  • Risk = Likelihood * Impact
 
  • Assessment of Likelihood
  • Likelihood depends upon two types of factors i.e. Threat agent factors and the Vulnerability factors. Each factor has a set of options where each option is rated on a scale of 0 to 9.
  • Threat Agent Factors
    1. Skill level
    How technically skilled can be a typical threat agent?
    Parameter Rating
    No technical skills 1
    Some technical skills 3
    Advanced computer user 5
    Network and programming skills 6
    Security penetration skills 9
    1. Motive
    How motivated can a threat agent be to find and exploit this vulnerability?
    Parameter Rating
    Low or no reward 1
    Possible reward 4
    High reward 9
    1. Opportunity
    What resources and opportunities are required for a threat agent to find and exploit the vulnerability?
    Parameter Rating
    Full access or expensive resources required 0
    Special access or resources required 4
    Some access or resources required 7
    No access or resources required 9
    1. Size
    How large is this group of threat agents?
    Parameter Rating
    Developers 2
    System Administrators 2
    Intranet Users 4
    Partners 5
    Authenticated Users 6
    Anonymous Internet Users 9
  • Vulnerability Factors
  • The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited with a threat agent assumed as above.
    1. Ease of discovery
    How easy is it for the threat agent to discover this vulnerability?
    Parameter Rating
    Practically impossible 1
    Difficult 3
    Easy 7
    Automated tools available 9
    1. Ease of exploit
    How easy is it for this group of threat agents to actually exploit this vulnerability?
    Parameter Rating
    Theoretical 1
    Difficult 3
    Easy 5
    Automated tools available 9
    1. Awareness
    How well known is this vulnerability to this group of threat agents?
    Parameter Rating
    Unknown 1
    Hidden 4
    Obvious 6
    Public Knowledge 9
    1. Intrusion detection
    How likely is an exploit to be detected?
    Parameter Rating
    Active detection in application 1
    Logged and reviewed 3
    Logged without review 8
    Not logged 9
  • Assessment of Impact
  • There can be two types of impacts i.e. technical impact on the application, the data it uses, and the functions it provides and the business impact on the business and company operating the application.
  • Technical Impact Factors
  • Technical impact can be broken down into confidentiality, integrity, availability and accountability with the goal of estimating the magnitude of the impact if the vulnerability gets exploited.
    1. Loss of confidentiality
    How much data could be disclosed and how sensitive is it?
    Parameter Rating
    Minimal non-sensitive data disclosed 2
    Minimal critical data disclosed 6
    Extensive non-sensitive data disclosed 6
    extensive critical data disclosed 7
    All data disclosed 9
    1. Loss of integrity
    How much data could be corrupted and how damaged is it?
    Parameter Rating
    Minimal slightly corrupt data 1
    Minimal seriously corrupt data 3
    Extensive slightly corrupt data 5
    Extensive seriously corrupt data 7
    All data totally corrupt 9
    1. Loss of availability
    How much service could be lost and how vital is it?
    Parameter Rating
    Minimal secondary services interrupted 1
    Minimal primary services interrupted 5
    Extensive secondary services interrupted 5
    Extensive primary services interrupted 7
    All services completely lost 9
    1. Loss of accountability
    Are the threat agents' actions traceable to an individual?
    Parameter Rating
    Fully traceable 1
    Possibly traceable 7
    Completely anonymous 9
  • Business Impact Factors
  • The business risk is what justifies investment in fixing security problems. Thus assessing business impact is critical and requires a deep understanding of what is important to the company running the application.
    1. Financial damage
    How much financial damage will result from an exploit?
    Parameter Rating
    Less than the cost to fix the vulnerability 1
    Minor effect on annual profit 3
    Significant effect on annual profit 7
    Bankruptcy 9
    1. Reputation damage
    Would an exploit result in reputation damage that would harm the business?
    Parameter Rating
    Minimal damage 1
    Loss of major accounts 4
    Loss of goodwill 5
    Brand damage 9
    1. Non-compliance
    How much exposure does non-compliance introduce?
    Parameter Rating
    Minor violation 2
    Clear violation 5
    High profile violation 7
    1. Privacy violation
    How much personally identifiable information could be disclosed?
    Parameter Rating
    One individual 3
    Hundreds of people 5
    Thousands of people 7
    Millions of people 9
    Determining the severity of the risk The likelihood and impact parameters assessed are categorized into a low, medium or high category on the basis of the following table: The final severity rating for an identified vulnerability is produced by combining the category ratings of the Likelihood and Impact Levels as shown in the following table.
    Yes, PentestO is committed to extremely high quality standards and that means that any company that PestestO has worked for should be able to defend itself from even the best of hackers. Building that reputation means that we need to ensure that our Clients do remediate the critical vulnerabilities identified in our test. For you, it means a completely free retest with an assurance that PentestO is truly committed to being your security partner.
    External penetration test is the most common type of test as it is aimed at IT systems from outside the Client’s location from systems such as Demilitarized Zone of your network, Virtual Private Networks and your websites. Thus majority of our tests are conducted remotely. However, in case a Client desires onsite test only, we are able to provide our services. In that case the Client shall need to accordingly provide requisite costs for the travel and secure required visas for our technical experts.
    All our employees are subjected to extensive criminal and civil background checks and PentestO executes a binding confidentiality agreement with them. We understand that our reputation is critical for our success.
    PentestO’s head office is based out of Gurgaon in India while a major part of its sales force is spread across US and Canada.
    Your pentest will be performed by direct employees of PentestO. At present, our technical employees are based in Gurgaon, India, while our sales employees are spread across Client countries. We do not utilize any 3rd party contractors to perform any part of our testing without providing prior notice to you unless specifically requested by you.
    All of our security consultants are qualified ethical hackers who hold professional penetration testing qualifications like OSCP accreditations or members of governing bodies, such as The Open Web Application Security Project (OWASP). Our security experts spend significant time keeping themselves abreast of the latest developments and attending IT security events.
    PentestO works for all its Clients on a best efforts basis and provides no guarantee, whatsoever, that any application/network tested by its staff is 100% secure. What this essentially means is that PentestO shall not take any kind of liability for any work performed. Please understand that a lack of guarantee in no way implies that PentestO does substandard work but mirrors the extremely complex and challenging nature of cyber-security. New vulnerabilities are discovered every minute and there is no way a system can be made completely insured to all types of attacks.
    One of the characteristics that set us apart from other firms is the manner in which we structure our Penetration Testing teams. Most of the penetration testing firms are purely staffed with technical security engineers who engage with the Client while also providing testing services. At PentestO, we pride ourselves in having Engagement Managers who have had at least 5 years of industry experience and also have a technical background. They have many years of banking experience with credentials like IT Engineer and MBA/CFA. As a result they really understand your business and the critical risks it faces without losing focus of the technical imperatives of pentesting. At the same time every test has a security expert who leads the technical side of the testing during the engagement. In the end, what you get is a really mature perspective that your top management can really appreciate. Our penetration testers have at least 5 years of penetration testing experience who have excellent demonstrated ability of finding vulnerabilities. They have their names in several Hall of Fames of the likes of Google and a demonstrated record of winning bounties in companies like Amazon, Microsoft, Facebook, MasterCard, Adobe, Blackberry, LinkedIn etc. What you really get is the best at a cost that no one currently matches in the entire security industry.

     

    PentestO’s Fee Model

    Testing Type Starting Price (USD) Description
    Web Application $999 Price for a exploitative, manual web application penetration test for a single web application consisting of less than 25 static or dynamic pages and 1 level of authentication. The web app security test includes file upload testing and all areas of the OWASP testing methodology.
    Mobile Application $1499 Price for an exploitative, manual mobile app penetration test for a single iOS or Android application. Mobile applications are assessed using the OWASP mobile testing framework.
    External Network $999 Price for an exploitative, manual external penetration test for up to 10 external IP addresses.
    Internal Network $1499 Price for an exploitative, manual internal penetration test for up to 25 internal addresses. Pentesting is performed inside the corporate network through a VPN.
    Wireless $1499 Wireless network security penetration test is performed manually in an exploitative way. Price is for a single Access Point and more Access Points can be added for an additional charge.
    PentestO has a goal of making quality pentesting services accessible to all. We have a business model that critically hinges on recurring business from satisfied Clients thereby avoiding huge marketing costs. Our charges are designed to just sustain our operations and to enable us to grow quickly. Most of our new Clients are by way of referrals. We may not have a long legacy but legacy is what we want to create.
    While PentestO does provide a free security assessment for generating a specific quote but no trial of services are available.
    For the doubting Thomases, we offer a unique proposition. For just $300 USD, we would conduct a quick penetration test and provide you a single vulnerability that has either a Critical or High Severity. And if we are unable to do so, you shall not be charged a single penny. This service is just to convey our capabilities and will not be an exhaustive test. No written report shall be provided but details of the technical vulnerability shall be disclosed in an appropriate way. This sample testing is just to help you make a decision that you have chosen the right security partner.