What area of your business would benefit the most from a penetration test?
Penetration testing is a form of ethical hacking that simulates attacks on a network and its systems. It goes beyond running an automated vulnerability scanner; the tests are performed by experts that dive deeper into your environment.
In a previous blog post, Types of Penetration Testing: The What, The Why, and The How, we discussed the different ways a penetration test can be performed: black-box, white-box, and gray-box. We also told you why it’s a good idea for a business to have penetration tests performed regularly.
What areas should you focus on? There are several tests or activities that penetration tests include. Here are a few you may want to consider.
Network penetration test
The objective of a network penetration test is to identify security issues with the design, implementation, and maintenance of servers, workstations, and network services.
Commonly identified security issues include:
- Misconfigured software, firewalls, and operating systems
- Outdated software and operating systems
- Insecure protocols
The remediation of commonly-identified security issues include:
- Reconfigure software, firewalls, and operating systems
- Install updates
- Enable encryption or choose a more secure protocol
SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall
Segmentation check
The objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall.
Commonly-identified security issues include:
- TCP access is allowed where it should not be
- ICMP (ping) access is allowed where it should not be
The remediation of commonly-identified security issues are the same:
- Reconfigure the segmentation control (firewall rules) to properly restrict access
Application penetration test
The objective of an application penetration test is to identify security issues resulting from insecure development practices in the design, coding, and publishing of the software.
Commonly-identified security issues include:
- Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)
- Broken authentication (The log-in panel can be bypassed.)
- Broken authorization (Low-level accounts can access high-level functionality.)
- Improper error handling
The remediation of commonly-identified security issues include:
- Re-design the authentication and authorization model
- Recode the software
- Disable remote viewing of errors meant for developers
Wireless penetration test
The objective of a wireless penetration test is to identify misconfigurations of authorized wireless infrastructure and the presence of unauthorized access points.
Commonly-identified security issues include:
- Insecure wireless encryption standards
- Weak encryption passphrase
- Unsupported wireless technology
- Rogue/open access points
The remediation of commonly-identified security issues include:
- Update wireless protocol to an industry accepted protocol (WPA2)
- Replace the insecure passphrase with a longer, more complicated one
- Identify the open access point and disable it
Social engineering
The objective of a social engineering assessment is to identify employees that do not properly authenticate individuals, follow processes, or validate potentially dangerous technologies. Any of these methods could allow an attacker to take advantage of the employee and trick them into doing something they shouldn’t.
Commonly-identified issues include:
- Employee(s) clicked on malicious emails
- Employee(s) allowed unauthorized individuals onto the premises
- Employee(s) connected a randomly discarded USB to their workstation
The remediation is always the same: training.
Because the intent of this assessment is to take advantage of the trusting nature of employees, this type of assessment should only be done after employees have completed a training course on defending against social engineering attacks.
SEE ALSO: Social Engineering Training: What Your Employees Should Know
Which type of penetration test is right for you?
For starters, choose the type of penetration test that focuses on the controls you are most concerned about:
- Web application or API = application penetration test
- Infrastructure = network penetration test (and possibly a wireless penetration test)
- People = social engineering
If your objective is to obtain PCI compliance, at the very least, you’ll want to consider getting a network and an application penetration test.
Once you have an idea on the type of test you would like and how comprehensive you would like the results to be, you need to decide from which perspective you would like testing to be performed.
By making these decisions wisely, you can choose a penetration test that matches your business' needs and budget.
See also: SecurityMetrics PCI Guide
.svg)
