Chapter 01: Penetration Testing Flashcards
Penetration Testing
Seeks to bridge the gap between the rote use of technical tools to test and organization’s security and the power of those tools when placed in the hands of a skilled and determined attacker
Pentests are authorized, legal attempts to defeat an org’s security controls and perform unauthorized activities
This is the most effective way for an org to gain a complete picture of its security vulnerabilities
Hacker Mindset
Instead of trying to defend against all possible threats, pentesters only need to find a single vulnerability that they can exploit
To find these flaws, they must think like an attacker—hacker mindset
Ethical Hacking
The art of using hacking tools and techniques within a code of ethics that regulat activity. Key components include:
- Performing background checks on all members of pentesting team
- Adhering to the defined scope of a pentesting engagement
- Immediately reporting any active security breaches or criminal activity detected during a pentest
- Limiting the use of pentesting tools to approved engagements
- Limiting the invasiveness of a pentest based on the scope of the engagement
- Protecting the confidentiality of data and information related to or uncovered during the pentest
Benefits of Pentesting
- Provides us with knowledge we can’t obtain elsewhere—we learn whether an attacker with the same knowledge, skills, and info as our testers would be able to penetrate our defenses
- If attackers are successful, pentesting gives us important blueprints for remediation—we can trace the actions of the testers as they progressed through the different stages of the attack and close the doors they passed through
- Provide essential, focused information about specific attack targets—focused tests drill into the defenses around a specific target and provide actionable insight that can prevent a vulnerability from initial exposure
Threat Hunting
Related to pentesting but has a separate purpose
Pentesting seeks to evaluate the org’s security controls by testing them in the same manner an attacker might
Threat hunters use the attacker mindset to search the org’s tech infrastructure for the artifacts of a successful attack
Presumption of Compromise
Threat hunting mindset
Assumes attackers have already successfully breached an org and searches out the evidence of successful attacks
When threat hunters discover a potential compromise, they kick into incident-handling mode in order to contain, eradicate, and recover from the compromise
Threat hunters also conduct postmortem analysis of the factors that contributed to the compromise in order to remediate deficiencies
Regulatory Requirements for Pentesting
The most common regulatory requirement for pentesting comes from PCI-DSS
Contractual obligations that govern all orgs in storage, processing, or transmission of credit card transactions
Section 11.3 of the cardholder data environments (CDEs) reads that pentesting methodology needs to include the following:
- Based on indsutry accepted pentesting approaches (NIST SP800-115)
- Includes coverage for the entire CDE permiter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer pentests to include, at minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer pentests to include components that support network function as well as OS
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of pentesting results and remediation activities results
NOTE: This is a helpful blueprint for anyone, not just PCI-DSS
Requirements 6.5 Vulnerabilities
This includes common vulnerabilities like:
* SQL injection
* Buffer overflow
* Insecure cryptographic storage
* Insecure communications
* Improper error handling
* XSS
* Improper access controls
* CSRF
* Broken authentication
* Other “high risk” vulnerabilities
Frequency and Scope of Pentests for PCI-DSS
11.3.x provides four additional requirements:
- 11.3.1—Perform external pentesting at least annually and after any significant infrastructure or application upgrade or modification (like an OS upgrade, a sub-network added, or a web server added)
- 11.3.2—Perform internal pentesting at least annually and after any significant infrastructure or application upgrade or modification (like an OS upgrade, a sub-network added, or a web server added)
- 11.3.3—Exploitable vulnerabilities found during pentesting are corrected and the testing is repeated to verify corrections
- 11.3.4—If segmentation is used to isolate the CDE from other networks, perform pentests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE
Internal Pentesting Teams
Made up of cybersecurity pros from within an organization who conduct pentests on the org’s systems and applications
They might be dedicated to pentesting full time or convened periodically to conduct tests
Pros of using an internal team:
* Contextual knowledge about the org that can improve the effectiveness of testing by providing enhanced suject matter expertise
* Generally less expensive than hiring a pentesting firm
Cons of using an internal team:
* You’re using internal employees
* Internal employees may have helped to design and implement the security controls that they’re testing which can introduce bias toward demonstrating they’re secure
* The bias may make it more difficult to spot potential flaws that could provide a foothold for an attacker
NOTE: Internal teams should be organizationally separate from cybersecurity team that designs and operates controls if possible
NOTE: Internal can refer to internal teams at an org or the internal perspective of a pentest (internal network)
External Pentesting Teams
Hired for the express purpose of performing a pentest, and can come from a general cybersecurity consulting firm or one that specializes in pentesting
Pros of using an external team:
* Tend to be highly skilled
* Generally bring a higher degree of independence than internal teams
NOTE: Always be aware of potential conflicts of interest pentesters may have—might not be a good idea to hire the consultants who helped you design and implement your security controls as negative reports they provide could reflect poorly on the overall quality of their implementation work (bias)
Repeating Pentests
Three reasons why you want to repeat tests:
1. Technology environments change—systems are reconfigured, patches applied, and regular tweaks are made. Periodic tests have a good chance of detecting security inssues introduced by those changes
2. Attack techniques evolve—updated pentests should reflect these attack evolutions. Systems developed today may receive a clean bill of health, but in two years they’re potentially vunerable
3. Each team member brings a unique set of skills, talents, and experiences—Rotate team members so you’re getting the perspective of individuals who have never tested your systems, environments, or applications
CompTIA Pentesting Process
- Planning and Scoping
- Information Gathering and Vulnerability Scanning
- Attacking and Exploiting
- Reporting and Communicating Results
NOTE: There’s a fifth domain titled “Tools and Code Analysis” that includes coverage of the man tools used during all stages of the pentesting process
Planning and Scoping
Pentesters and their clients need to:
- Have a clear understanding of what will occur during the test
- Outline clear rules of engagement
- Decide what systems, data, processes, and activities are within the scope of the test
NOTE: There’s a very fine line between hacking and testing. A written statement of work (SOW) that includes clear authorization for pentesting is crucial to staying on the right side of the law and meeting client expectations
Information Gathering and Vulnerability Scanning
After clearly defining the scope and securing authorization to proceed, pentesters move to the reconiassance phase where they gather as much intel about the target environment as possible and perform testing to identify vulnerabilities in the environment
Vulnerabilities identified here provide the road map for the remainder of the test, highlighting all the weak links in an org’s security chain (potential points of entry for an attacker)
