What is a Penetration Test?
A penetration test is a security assessment that simulates a real-world attack against one or more of your targeted assets. Assets that Penetration Tests can assess include networks, web applications, API's, devices, infrastructure or anything else which may contain a vulnerability and weaken your defences.
A Penetration Test (sometimes referred to as a Pen Test or Ethical Hacking) is an unbiased security assessment of your applications and infrastructure. To be completely unbiased, the Penetration Test needs to be performed by someone outside the team who developed it.
Performing a Penetration Test
Your organisation may require a Penetration Test for a number of reasons. The primary reason is one where an organisation seeks to reduce the operational and strategic risks from cyber attacks and data breaches by identifying and exploiting gaps in their security. Penetration Tests are also performed to meet regulatory requirements and standards, such as PCI DSS being the main one in Australia.
Other reasons include:
- PenetrationTesting of your servers, networks and applications to identify security gaps and weaknesses
- Meeting your end clients requirements
- Validating a risk or vulnerability management program’s effectiveness
- Hardening and building on your overall security posture
- Benchmarking your individual assets against industry standards
- Independent verification of the security of applications and critical infrastructure
- Building a case for the importance of security by demonstrating the consequences of unaddressed vulnerabilities.
The Australian Federal Government has introduced mandatory data breach notification laws into parliament. These new data breach notification laws have passed the senate and will be enforced by February 2018. This ensures organisations have sufficient time to review and test their security posture of their critical applications and infrastructure are secure before the law takes into effect. This significant change will see organisations need to tighten their own security policies, controls and procedures.
Of course, beyond what has been touched on here, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally provide the answer to the question of whether the security of a system can be breached.
Type of Penetration Tests
The type of Penetration Test you require will depend on the budget and scope of your project. There are three broad types of Penetration Test.
Black Box Testing
This is where Penetration Testers have no knowledge of how an application works or have been given any insights into its structure.
White Box Testing
The Penetration Tester has full knowledge of the application and network architecture and are able to move through the penetration test exercise at a faster pace.
Grey Box Testing
The Penetration Tester has partial knowledge into the application and network architecture.
The type of Penetration Test your you require will depend on the budget and scope of your project.
When considering the type of Penetration Test, think about why you are doing a Penetration Test and clarify your objectives when scoping the project with us and we will provide you with recommendations how to best achieve your objectives.
Phases of a Penetration Test
There are three distinct phases of a Penetration Test.
- Reconnaissance Phase
- Attack Phase
- Reporting Phase
Lets look at each of these in more detail.
Penetration Testers take the time to gather information prior to attack. The information gathered at this stage allows for detailed insights into the systems which in many instances assists in planning the approach to the Penetration Test and will determine the potential attack vectors. Unsurprisingly, this is what an attacker would do so it makes sense to start the Penetration Test the same way. The reconnaissance phase in a Penetration test uses different sources of information publicly available to build detailed insights into the target and not through exploiting vulnerabilities. The information gathered in this phase is then used to commence the next stage of the Penetration Test.
Penetration Testers, like real world attackers, take the time to identify possible entry points that were identified during the reconnaissance phase. They do this to gather as much information as possible and at this stage will actually query the systems being targeted by the Penetration Test. The information collected by the Penetration Tester is systematically harvested whilst individual systems are also identified. The Penetration Testers will also examine systems in their entirety which allows them to evaluate security weaknesses that are not necessarily technical in nature. The information collected at this phase of the Penetration Test can be used to be proved or disproved during the attack phase.
The attack phase of a Penetration Test is the process of taking identified vulnerabilities and attempting to exploit them, If an attack is succesful, the vulnerability is verified and safeguards are identified to assist in remediation. In some instances, exploits Penetration Testers uncover can allow them to escalate their privileges on the system or network to gain access to additional assets. When this occurs, additional analysis and testing is required to understand the real risk to the system regarding the type of information the Penetration Testers can see, change or remove from the system. Automated vulnerability scanners commonly used in Penetration Tests are great in uncovering the existence of a vulnerability, the attack phase takes this knowledge and exploits the vulnerability to confirm its existence and take it as far as they can.
The reporting phase of a Penetration Test is completed simultaneously throughout the first two phases. A log of all the key steps completed by the Penetration Testers leading to the successful attack needs to be documented to allow others to replicate the attack. These findings form the basis of the final report you receive once the fieldwork on your Penetration Test is complete.
A Penetration Test report starts with an Executive Summary which provides clients with an overview of the key findings of the Pentest. The best Penetration Testing summaries are written with non technical clients in mind, thereby allowing all team members, regardless of their technical knowledge, to be able to ascertain the level of risk posed by the systems being tested.
The second part is a comprehensive technical report with a detailed description of the vulnerabilities that were discovered during the Penetration Test. This makes the pentest transparent and relevant for technical team members. For every security flaw, extensive documentation is provided that precisely describes the technical background of the security vulnerability and how it may be exploited. Additionally, a risk analysis based on the findings from the Penetration Test shows the potential risks of the flaw in the overall context of the tested systems. Finally, remediation suggestions are provided for the vulnerabilities detected through the Pentest based on industry best-practices.
In summary, on conclusion of the Penetration Test, the report generated describes the vulnerabilities uncovered, a risk rating on these findings and guidance on how to mitigate these risks.
Why choose Dragonfly for your Penetration Testing needs?
Dragonfly Technologies is the trusted security partner for hundreds of clients. Since 2005, our expert IT team has been conducting Penetration Tests for some of the largest security-conscious government, local and global ASX 100 listed businesses across multiple sectors. We have helped identify thousands of vulnerabilities across all our clients, provided remediation advice and helped clients develop and implement sound secure practices across their organisation.
Our team of security experts have relevant industry experience and all the necessary security clearances to the Highly Protected level under the Australian Government Attorney-General's Department security classifications – which gives your team peace of mind regarding the utmost trust and confidence when dealing with your sensitive security information.
Our understanding and application of these Security and Penetration Testing fundamentals is why we are the trusted security partners of some of Australia's most security conscious companies.
Built on capabilities, expertise and our partnership with IBM, government and industry representative bodies, Dragonfly Technologies continually strives to deliver new innovative defences to assist our partners and customers fight cyber-crime.
We are committed to exceeding your expectations on every engagement.
Proven Penetration Testing Methodology
Over the years, with a proven track record in Penetration Testing, our methodology has helped our customers reduce risk and remediate security vulnerabilities. Our Penetration Testing methodology drives the desired outcomes while in the process our customers save time and money.
Our Penetration Testing methodology adopts industry best practices that include the NIST Special Publication 800-53 Security Controls and Assessment Procedures for Federal Information Systems and Organizations and the OWASP Testing Guide, OSSTMM (Open Source Security Testing Methodology Manual) and the PTES (Penetration Testing Execution Standard).
Our Penetration Testing methodology is built on the importance around clearly defined scope and clear communication throughout the assessment life cycle.
Quality Penetration Testing Reports
Dragonfly Technologies’ IT experts listen to your IT security network issues and work on the best solution. Our Penetration Testing reports outline in detail the vulnerabilities detected along with actionable recommendations to assist, remediate and secure your business environment based on the latest industry best practices.
The detailed Penetration Testing reports we produce are on-message and in a format that is easily understood by various levels of your teams within the company, from tech staff to the boardroom. Our staff are agile and efficient. We pride ourselves on being transparent and proactive. We ensure we stay ahead of the market – and our customers appreciate it.
Our Penetration Test Reports are designed to provide you with the best outcome and help you secure your organisations most valuable assets.
A lead consultant is accessible throughout the Penetration Testing engagement. Before, during and after delivery, our team of experts are readily available to answer any questions you may have so that your business receives utmost value out of your Penetration test and assessment.
We understand the constant battle against our competitors, and we may not always be the least expensive, but we are definitely one of the best security companies in Australia offering value for budget.
Each assessment will have an account manager to work with you to ensure your Penetration Testing needs are met.
Dragonfly Technologies – the power and agility for superior Penetration Testing