Introducing advanced penetration testing_Advanced Penetration Testing for Highly：Secured Environments（Second Edition）-QQ阅读男生历史网

上QQ阅读APP看书，第一时间看更新

Introducing advanced penetration testing

Penetration testing is necessary to determine the true attack footprint of your environment. It may often be confused with vulnerability assessment, and thus, it is important that the differences are fully explained to your clients.

Vulnerability assessments

Vulnerability assessments are necessary to discover potential vulnerabilities throughout the environment. There are many tools available that automate this process so that even an inexperienced security professional or administrator can effectively determine the security posture of their environment. Depending on the scope, additional manual testing may also be required. Full exploitation of systems and services is not generally in the scope of a normal vulnerability assessment engagement.

Systems are typically enumerated and evaluated for vulnerabilities, and testing can often be done with or without authentication. Most vulnerability management and scanning solutions provide actionable reports as a reference to the tester that detail mitigation strategies such as application of missing patches, or correction of insecure system configurations. Having said that, the tester will perform its own analysis and create the recommendations based on that.

Penetration testing

Penetration testing expands upon vulnerability assessment efforts by introducing exploitation into the mix.

Tip

The risk of accidentally causing an unintentional denial of service or other outage is moderately higher when conducting a penetration test than it is when conducting vulnerability assessments. To an extent, this can be mitigated by proper planning and a solid understanding of the technologies involved during the testing process. Thus, it is important that the penetration tester continually updates and refines the necessary skills.

Penetration testing allows the business to understand if the mitigation strategies employed are actually working as expected; it essentially takes the guesswork out of the equation. The penetration tester will be expected to emulate the actions that an attacker would attempt, and will be challenged with proving that they were able to compromise the targeted critical systems. The most successful penetration tests result in the penetration tester being able to prove without a doubt that the vulnerabilities that are found will lead to a significant loss of revenue or business impact unless properly addressed. Think of the loss/harm of reputation that you would have if you could prove to the client that practically anyone in the world has easy access to their most confidential information!

Penetration testing requires a deeper and wider body of knowledge than is needed for vulnerability analysis. This generally means that the price of a penetration test will be much higher than that of a vulnerability analysis. If you are unable to penetrate the network, you will be assuring your client that their systems are secure to the best of your knowledge. This should be demonstrated not only by your inability to breach their networks, but also by showcasing what you attempted and demonstrating that it didn't work due to their mitigations. If you want to be able to sleep soundly at night, I recommend that you go above and beyond in verifying the security of your clients.

Advanced penetration testing

Some environments will be more secure than others. You may be faced with environments that use:

Effective patch management procedures
Managed system configuration hardening policies
Multi-layered DMZs
Centralized security log management
Host-based security controls
Network intrusion detection or prevention systems
Wireless intrusion detection or prevention systems
Web application intrusion detection or prevention systems
End user, executive security, and insider threat training

Effective use of these controls increases the difficulty level of a penetration test significantly. Clients need to have complete confidence that these security mechanisms and procedures are able to protect the integrity, confidentiality, and availability of their systems. They also need to understand that at times the reason an attacker is able to compromise a system is due to configuration errors, poorly designed IT architecture, and the ability to social-engineer a target.

Tip

There is no such thing as a panacea in security. As penetration testers, it is our duty to look at all the angles of the problem and make the client aware of anything that allows an attacker to adversely affect their business.

Advanced penetration testing goes above and beyond standard penetration testing by taking advantage of the latest security research and exploitation methods available. The goal should be to prove that sensitive data and systems are protected even from a targeted attack and, if that is not the case, to ensure that the client is provided with the proper instruction on what needs to be changed to make it so and is made aware of the importance of maintaining a solid incident response program, since there is always the possibility of a breach.

Tip

A penetration test is a snapshot of the current security posture. Penetration testing should be performed on a continual basis.

Many exploitation methods require well-trained penetration testers who have a hunger for learning, and require hands-on experience to effectively and efficiently execute. At DefCon 19, Bruce "Grymoire" Barnett provided an excellent presentation on Deceptive Hacking. In this presentation, he discussed how hackers use many of the very same techniques that are used by magicians. This is exactly the tenacity that penetration testers must assume as well. Only through dedication, effort, practice, and the willingness to explore unknown areas will penetration testers be able to mimic the targeted attack types that a malicious hacker would attempt in the wild.

Oftentimes, you will be required to work on these penetration tests as part of a team, and will need to know how to use the tools that are available to make this process more endurable and efficient. This is yet another challenge presented to today's pentesters. Working in a silo is just not an option when your scope restricts you to a very limited testing period.

In some situations, companies may use nonstandard methods to secure their data, which makes your job even more difficult. The complexity of their security systems working in tandem with each other may actually be the weakest link in their security strategy.

Tip

The likelihood of finding exploitable vulnerabilities is directly proportional to the complexity of the environment being tested.