’Prevention, testing  and training is the step to have robust security posture for your IT infrastructure’’

Cybercrime is ever-increasing in the modern digital world with a cyber attack or a data breach occurring almost every other day. Do you want to protect your organisation from such an attack? Do you want to stay ahead of the bad guys and ensure you are safe?

Information Security Assessment

An information security assessment is a process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Security testing is one of the techniques to fulfil a security assessment which is, the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviours. Most often, security testing refers to carrying out a penetration test.

What is a Penetration Test?

A penetration test (or commonly called pen test), is a security exercise carried out to identify and exploit weaknesses within a system. A weakness in a system that can be exploited by a threat actor, such as an attacker or hacker, is called vulnerability. A pen test can involve breaching of different application systems such as web servers, database servers, application programming interfaces (APIs) or mobile applications, as required by the customer.

It is inevitable that computer systems or network equipment will contain vulnerabilities. In a pen test, a cybersecurity expert is tasked to identify these vulnerabilities and attempts to exploit them to gain access to the system under test. If a pen test is successful, it means that there are weaknesses in the system that an attacker could take advantage of. In a real-time scenario, if a threat actor identifies these vulnerabilities before the organisation itself identifies them, then it could lead to a data breach, theft of intellectual property and possibly affect the reputation of the organisation.

Therefore, a pen test can be considered as a cyberattack under safe mode where the organisation has an opportunity to preempt them from occurring in the future. The results from a pen test can be used to enhance and improve the security posture of an organisation.

Types of Hackers

In order to understand who conducts a pen test, let us look at some of the most common types of hackers. The following is by no means an exhaustive list:

1. Black Hat Hackers: A black hat hacker is an attacker that is often categorized as criminals or malicious actors. They cause harm for personal gains such as for financial motives or with an intent to damage the reputation of an organisation. The reasons behind most cybercrimes would be a black hat hacker.
2. White Hat Hackers: A white-hat hacker is commonly referred to as ethical hackers. They are hackers who use their skills in order to assist organisations and government agencies to defend against the black hat hackers. Thus, these are the cybersecurity experts who would carry out security tests such as vulnerability assessments and penetration tests.
3. Grey Hat Hackers: A grey hat hacker is someone who falls between a black hat and a white hat hacker. These hackers are sometimes referred to as “hacktivists” who work for a particular cause. They might exploit a vulnerability, but instead of using it for personal gains, they might give the organisation an opportunity to fix the vulnerability.

What are the options?

As you might expect, there are various flavours of security testing. Again, these are by no means an exhaustive list:

1. Black box: An assessment technique where the tester does not have any details about the target organisation. This can be a simulation of a real-world cyber-attack where the attacker only identifies a target and does not have any information about the infrastructure of the organisation. One of the main advantages of this assessment is that it stimulates the actions of a cyber-criminal. Apart from the scope of the assessment, the tester does not have any information and therefore, this is the most difficult assessment technique. It usually follows a trial and error technique to identify a weakness to potentially exploit it further. Thus, the disadvantage is that it requires highly trained security experts to provide results within a reasonable time frame.
2. White box: A technique in which the tester is provided intimate details about the system or the network. This may include details and design about the network, IP address and subnets, infrastructure design, operating system (OS) details or source code of applications. This type of assessment simulates an attack by an internal source such as a malicious insider who has access to significant insider information. They are sometimes also referred to as glass box, clear box or internal testing. Few advantages of this assessment are that the test can be completed relatively quickly and a thorough test can be carried out as time and information are available. The disadvantages of this assessment are that it might be difficult to focus on what and how to test as information is already available. As this technique might also involve software analysis, additional tools might be necessary.
3. Grey box: In this technique, some basic information about the target is provided to the testers. It can be considered as the case of an attacker who somehow got insider access without penetrating the perimeter. This may include some infrastructure details or the presence of an intrusion detection/prevention system (IDS/IPS). This enables the tester to improve their tests based on any erroneous results they might encounter. In this case, most often automated and manual testing is carried out on the information already available, enabling them to identify weaknesses and exploit them.
4. Double blind: This is a covert pen testing technique which is not only an assessment of the environment but also the monitoring and incident response capabilities of the organisation. It is called double blind as the testers and defenders are unaware of what, when or how they are to expect an encounter. Hence, it is very critical to have the assessment scope and engagement details established, in order to avoid any problems with law enforcement. This type of tests also determines the efficiency of the defensive team’s tools and could provide feedback on improvising them.
5. Red teaming: This is a security exercise where a combination of techniques is used. It is a targeted exercise with a certain objective at hand. A pen test looks for vulnerabilities and tries to exploit them whereas a red team exercise generally has a certain goal and employs multiple techniques to achieve it. These tests are an exact simulation of cybercriminals and would also avoid detections by the target. It is a long and expensive exercise that might involve social engineering, installing malware, creating a backdoor to maintain access to the target network and exfiltration of sensitive information.

What do you get out of it?

The security assessment results in a detailed document that explains the various methodologies and techniques used to infiltrate the target. This information can be used by your organisation’s security team to remediate or mitigate the vulnerabilities discovered during the test. These may include software or hardware patching to remediate the vulnerabilities, enhancing web application firewall (WAF) rules, implementing an IDS/IPS system or training your analysts or users.

Today, carrying out a penetration test (or two) has become the new normal for most organisations. This is also a compliance requirement as most industries are required to carry out pen tests to be compliant with standards like HIPAA or PCI DSS.

Get in touch with us today to discuss your requirements and scope your next pen test contact us at info@rootfloe.com for your free consultation. 

Mohammed Zanil