A penetration test, or pen test, is essentially attempting to break into a network, software package or control system (SCADA) as a means of gauging its cyber security potential. It is an ethical hack, done to prevent criminal hacking behavior.
The Wrong Way, and Our Way
Unless an organization is very cognizant of cyber security, it is generally easy for a pen test team to breach a system - typically it takes us under an hour. Many Pen Testing providers take advantage of this, pen testing first and then reporting obvious problems after.
Our procedure is the opposite: we make sure your network or system is secure as possible BEFORE we pen test. The result of this cost effective and leads to dramatic improvement of your cyber security posture.
Pen Testing Targets
GDF has two decades of expertise executing many different types of pen tests against:
- Computer Networks
- Web Applications
- Mobile Applications
- Web Sites and Social Networks
- Email Systems
- SCADA Systems
- IOT Networks
Penetration Testing to Establish Compliance
Pen Tests are often a required step in a compliance protocol. We have performed pen tests for companies in all sectors as a means of confirming compliance to national and state cyber security standards. We have tested to:
- NIST 800-171/DFARS
- General Vendor Security
Our Penetration Testing Procedure
Regardless of the type of pen test, the steps of our pen testing methodology are consistent with our approach of hardening first, testing after.
We start by establishing the scope of the penetration testing and the architecture of whatever system or software is being testing. We're looking for information such as:
- Regulations and compliance protocols that have to be met (HIPAA, NIST, PCI, etc.)
- Extent of the testing - seats involved/IP addresses/endpoints, etc.
- The needs of stakeholders involved in the testing
- Existing Cyber Security policies at the organization
- Architecture of the network/software/SCADA system, etc.
Pre-Test Vulnerability Assessment
With the scope of the testing established, we next evaluate and report on your current security posture. We generally do the follow:
- Search for weaknesses and problems by performing network and system scans from both internal (within the local network) and external (from the internet) viewpoints.
- Examine and evaluate network devices, such as routers, firewalls, workstations, etc. and software security assets for outmoded technology, out of date firmware and software, etc.
- If there is a social engineering aspect to the pen test, we examine ingress/egress protocols, organizational cyber security awareness, and other real world factors that might indicate possible attack vectors.
Our Pre-Test Assessment details things that should be done to improve your security posture BEFORE any Pen Testing occurs. We make recommendations for upgrades and updates, changes in policy - whatever that can be done to immediately increase cyber security.
We, along with your IT personnel, implement the security recommendations we’ve made. We update software, install additional security software if needed, and do what can be done to the network or system as secure as possible. This is the crucial step and we’re one of the few providers that does this. Not hardening the security system before testing is like checking the locks on the doors while leaving the windows open.
The Penetration Test
We perform a penetration test in keeping with the established testing scope. Our team uses whatever types of attacks or breach techniques are available to defeat your now upgraded security and compromise your systems. This phase of the testing can take hours or days, depending on the requirements.
Post Test Deliverables and Reportage
When testing is completed, we provide a detailed analysis of the methods and techniques used during the test, the results of the various attempts at compromise, as well as detailed documentation on remediation of any security flaws found. Reportage is written clearly and addresses specifics that might be required for compliance to standards.
Types of Penetration Tests
Depending on the scope of the testing, there are a number of different types of tests that might be performed. The differences in these tests lies chiefly in the amount of information the penetration testing team has prior to the rest itself.
- External Testing
External Testing simulates an attack on a target company's servers and devices which are externally visible (visible from the internet). This type of test determines if an outside attacker can get into the network, and if so, how deeply into the system they can breach. An external penetration test attempts to break into domain name servers (DNS), web servers, email servers, and get through firewalls.
- Internal Testing
Internal Testing simulates an attack from within an organization, carried out by an authorized user with some level of access privilege, such as an angry employee or someone acting as a "corporate spy." This test is from within the boundaries of the firewall, as is good for determining the security of intellectual property, customer lists and other business information that needs to stay on premises even when an employee leaves.
- Targeted Testing
Targeted Testing, or "Lights On" testing, is a penetration test in which the pen test team works with the organization's IT personnel and has a full view of the network and all devices on it. A targeted test isn't real world in nature, but it does expose a deeper level of system flaws than blind or double blind testing.
- Blind Testing
Blind Testing simulates a real world attack by limiting the amount of information the pen test team is given prior to the test. Hence, the pen test team has to perform reconnaissance on the target and then figure out attack vectors and methodologies. Blind Testing is typically expensive due to the time and effort must be spent on researching the organization to be tested.
- Double-Blind Testing
Double-Blind Testing involves a pen test team attempting to breach an organization, and very few people at the organization are even aware that there is a penetration test being conducted. Double-Blind tests the ability of an organization to identify and respond to a threat.
- Black Box Testing
Black Box testing is a Blind Test as applied to software application rather than a system.
- White Box Testing
White Box Testing is similar to a Targeted Test, but again, as applied to a software application. The penetration testing team is given access to source code and other information regarding the application's structure and workings.
What is Tested
The full extent of what is tested is determined by the scope of the test, but generally includes elements from these areas:
- Network Security
- Network Surveying
- Port Scanning
- System Identification
- Services Identification
- Vulnerability Research & Verification
- Application Testing & Code Review
- Router Testing
- Firewall Testing
- Intrusion Detection System Testing
- Trusted Systems Testing
- Password Cracking
- Denial of Service Testing
- Containment Measures Testing
- Information Security
- Document Grinding
- Competitive Intelligence Scouting
- Privacy Review
- Social Engineering
- Request Testing
- Privacy Review
- Infrared Systems Testing
- Communications Security
- PBX Testing
- Voicemail Testing
- FAX Review
- Modem Testing
- Physical Security
- Access Controls Testing
- Perimeter Review
- Monitoring Review
- Guided Suggestion Testing
- Trust Testing
- Wireless Security
- Wireless Networks Testing
- Cordless Communications Testing
- Alarm Response Testing
- Location Review
- Environment Review