That Time Of The Year Again? Already?
Penetration tests are the yearly doctor checkups of the cybersecurity world – uncomfortable, invasive, and yet a necessary part of maintaining your information security health. While there is no avoiding all the pains of a thorough pentest, hopefully VantagePoint can help make this process as painless as possible. Below you can find out what to expect and how to prepare to get the most benefit from a third-party pentest. Are you ready?
Network Penetration Testing
Unfortunately, it is impossible to keep all hosts safely locked away behind a firewall’s DENY ALL rule. Modern businesses may have dozens of hosts listening on the internet. A network pentest provides a sanity check against internal documentation, ensuring no forgotten or vulnerable services are left open to the internet.
The first step for you is to inventory active external IP addresses. Providing a DNS export can also help identify forgotten or dynamic hosts. This will be your list of targets, or the scope of your test. Testing will involve network scans which can generate large volumes of traffic. While problems are rare, consider if this might cause issues to business-critical services. VantagePoint can perform these scans during off-hours to reduce potential impact if necessary.
Once a testing schedule is agreed upon, you can sit back and await your report. If for any reason you notice issues caused by testing, the tester will be available to halt any active scans. After automated scanning, a tester will manually examine each discovered service as an attacker looking for a way into your internal network.
Once testing is complete, VantagePoint will provide a detailed report of accessible services and any security weaknesses that may be present.
Application Penetration Testing
This is where the rubber meets the road. With an application test, VantagePoint provides a focused examination of a single web application, both as an external and internal attacker. A combination of automated and manual testing will look for common vulnerabilities such as cross-site scripting, a mainstay of the OWASP top 10. Extensive manual testing can also discover more complex access control and application logic flaws.
The first consideration when preparing for an application test is the environment you want to test. Ideally, a test environment of the application can be provided which exactly mimics the production environment. This will minimize any potential impact during testing. Application stability will be monitored during any automated testing, and VantagePoint does not conduct denial-of-service attacks, it is impossible to guarantee there won’t be any service impact. If a testing environment is not possible, more careful testing can be performed against production environments. Testing can be performed during non-business hours if necessary.
Additionally, you will need to prepare accounts for VantagePoint to use during the test. Ideally, two users of each privilege level, such as two standard user and two administrator accounts. This allows VantagePoint to test privilege escalation issues, such as a regular user accessing administrator functionality. Data separation is also tested, such as client 1 being able to access data from client 2. Providing an environment populated with test data that mimics realistic use will also help provide a more accurate test.
If VantagePoint detects any high or critical rated vulnerabilities, we will alert you as soon as the issue is confirmed. After testing is complete, VantagePoint will provide a detailed report including findings and remediation recommendations. Additional documentation to aid in cleaning up the environment of any battle scars left from testing.
Cloud Configuration Testing
Cloud computing service providers, such as Amazon’s AWS or Microsoft Azure, provide new benefits and new challenges for developers. This also adds yet another realm of security to consider. While cloud service providers offer a plethora of tools to help secure your applications and data, implementation can be a complex skillset all of its own.
VantagePoint can give your cloud configurations a security-focused audit, helping to identify configuration pitfalls and make recommendations to better secure vital components of your cloud-hosted assets.
To run a thorough audit of your cloud configuration, VantagePoint will need an account with read-only permissions to view configuration details. For example, an Amazon AWS configuration review will need an AWS Access Key and Secret Key for an IAM user with “ReadOnlyAccess” and “SecurityAudit” permissions. This provides access to view configuration without the risk of making unwanted changes.
As with all tests, VantagePoint will provide a report detailing discovered vulnerabilities and recommendations to strengthen the environment’s access controls.
While not exhaustive, this has hopefully given you the basics of what to expect and what information you will need to provide for a thorough penetration test. If you think of any questions before, during, or after the test, VantagePoint is here to share our security expertise.