Report on Penetration Testing

(CMT105 – Security Techniques)

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Report by

C1753445

 

 

CONTENTS                                                                                                           PAGE

Contents…………………………………………………………………………………………………………..2

 

1.      Introduction ……………………………………………………………………………………….3

2.      Rationale Behind the Test …………………………………………………………………..3

3.      Benefits of Penetration Test ……………………………………………………………….4

4.      Difference Between Black box and White box …………………………………….5

5.      Possible risks of Conducting a  test ……………………………………………..………6

6.      Technical vulnerabilities that may be discovered during a test ……………6

7.      Different methodologies used to produce auditable report ………………..6

8.      References ………………………………………………………………………………………….8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

INTRODUCTION

 

Every day, there are around 4000 attacks happening in this world, which compromises the way we look at computer security (Rey, 2017). In this era where even major Anti-virus corporations and government agencies are spying on us, we need to be able to provide utmost security to things we do. One of the ways to block or minimize those attacks to us is by doing a penetration test. A penetration test, also known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. This type of tests is usually done to find the faults and vulnerabilities in the system or network. It is done by security specialists. It is advised that every organization or company conducts a Penetration tests bi-annually or even every quarter. Today my employer (National Insurance Company) has asked me to conduct a research on penetration testing so that they can have a better understanding of the concepts, terminology, and benefits of penetration testing before employing external consultants. Also, the most important points which will be discussed in this report are:

·         The rationale behind conducting a penetration test.

·         The potential benefits of conducting the test.

·         The difference between Black box and White box testing techniques with the strengths and weaknesses of both.

·         The possible risks of performing a test.

·         The technical vulnerabilities that may be discovered during the test.

·         The Different methodologies used to produce auditable reports.

 

The most important rationale or motive behind conducting a penetration test is to

 

·         Find all the vulnerabilities.

The main idea behind a Penetration tests is to find vulnerabilities as much as possible and to take necessary steps to rectify them.

·         Help reveal problems.

It helps us to reveal many other issues such as compliance issues, network issues, compatibility issues.

·         Reduce Costs

An attack makes an organization lose lots of money. If continuous attacks are conducted on the organization, it will seriously affect the profit margins.

·         Meet compliance with industry standards and regulations.

Any organization must meet all the updated regulations and standards. The testing must also be done under authorized supervision. (Gerberding and Gerberding, 2018)

 

There are many reasons to why Penetration test is so beneficial. The most important reason being is to find the vulnerabilities in the environment. A penetration test is the process of vulnerability assessment. It reveals whether an organization is vulnerable to cyber-attacks. Finding the vulnerability helps to strengthen our network or organization.

 

Benefits of conducting a penetration test

 

Risk Management

 One of the important benefits of a penetration test is that it will help you to reduce the amount of risk in a more organized way. After finding the vulnerabilities in the system, A penetration test will help to show the risks associated with it. After we analyze the risks involved, we categorize the vulnerability as High, Medium or Low. This will help us to tackle the highest vulnerability and then the others.

 

Increase Business Continuity

Any Business nowadays must be online 24X7, Hence an attack from an outside person is a serious threat to the business. For example, if there is an attack on a public listed company, it would have a negative effect on the market capitalization of the company and people could lose jobs or they might lose their whole life savings. So one of the tasks of a Penetration tests specialist is, to make sure the continuity of a business or organization.

 

Evaluate security of the organization

It provides an overall view of the security posture of the company. They provide an overall view of where we stand. It ensures that patching of the vulnerabilities and configuration management practices have been followed correctly.

 

Help protect public relationships and guard the reputation of the company

It is very difficult to maintain a good public relationship and company reputation which are built up over a very long time. This can completely change with a single security breach. The problem is that the consequences may take years to be regained.

 

Protecting Associates

An attack can not only affect the target organization but also their clients, partners or others associated with them. (Secforce.com, 2018)

Difference between Black box testing and white box testing technique

 

In Penetration Testing, we have three kinds of Testing methods. They are:

·         Black Box testing

·         White box testing

·         Grey box testing

 

Black box testing is a type of software Testing method which is used to test the software without knowing the internal structure of the program. These types of tests are usually done by Testers. Also, we do not need to have a prior experience or any programming language to do this kind of testing. This is the most often type of testing used in a Penetration test. It is a type of High-level testing and can be done on a user-interface level.

There are many strengths associated with the black box testing method. The most important one being is that the Tester does not need to know the programming language or the software implementation which means that the tester can be from a non-technical background. Also, the test is done from a user’s point of view, not the designer. But, the testing can be of no use if it is has been already run by the software designer. It is more time consuming, hence it would leave many program paths untested which can cause more vulnerabilities and, it cannot be used for complex segments of code. (Software Testing Class, 2018)

 

White box testing is a type of testing method used when you know the internal structure of the program so that the test can be conducted to ensure that the internal operations are performed according to the specification. It is also known as Glass box testing since it has an open architecture. These types of test are usually done by software developers. It involves testing beyond the User-Interface.

The strengths of a white box testing technique are that it can be done before in hand and doesn’t need to wait for the Graphical User Interface to be available. Since the testing is thorough, it covers most of the paths. The testing is thorough, so it covers most of the paths which can cause a lesser number of vulnerabilities. The major drawback of a white box testing is that it requires a highly skilled person to conduct this kind of tests due to the complexity of the tests. Thorough knowledge of programming and implementation is required. The maintenance of the test script can be a hassle if the implementation changes regularly.(Software Testing Class, 2018)

 

 

 

 

Possible Risks of performing a penetration test

 

Basically, there are only a few risks involved in a penetration test. One of the major risks is the usage of high bandwidth and the loss of performance due to that. Though there are many risks involved with a penetration test, it is the benefits of a penetration test which makes us stick to doing it. A custom developed exploit can pose risks than using a well-known exploit. The best way to overcome any risks is to have adequate backup plans in case if anything goes wrong. Also, all the penetration tests cannot be conducted by an organization, they will usually need to get a third party to do it which again will compromise the security of the organization. (InfoSecAlways.com, 2018)

 

Technical vulnerabilities that may be discovered during the test

Vulnerability assessment can find all the technical vulnerabilities that may be discovered during a test. The technical vulnerabilities which are commonly found during a penetration test are:

·         Easter Eggs

·         Incomplete tests due to broken paths.

 

Different methodologies used to produce auditable report

 

Penetration Test methodologies are the manuals which are used to conduct a security test on a system in a particular manner. Pentest methodology is necessary for many reasons like

·         It can be used to determine the success of a test

·         The reporting can become more convenient and precise to the client.

·         It helps to initiate the process ethically and legally

 

The different kinds of methodologies are as follows:

OSSTMM – Open source security testing methodology manual.

ISSAF – Information Systems Security Assessment Framework.

OWASP – Open Web Application Security project.

PTES – Penetration Testing Execution standard.

NIST – National Institute of Standards and Technology.

 

OSSTMM

The OSSTMM is a manual on security Testing and analysis created by Pete Herzog and provided by ISECOM. It includes security testing, security analysis, operational security metrics, trust analysis, operational trust metrics, the Mobius defense and the essential tactics for testing the security of anything. The current version of OSSTMM manual is version 3.0.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

 

Gerberding, K. and Gerberding, K. (2018). 4 Good Reasons Why You Need to Conduct a Penetration Test | Hitachi Systems Security | Managed Security Services Provider. online Hitachi Systems Security | Managed Security Services Provider. Available at: https://www.hitachi-systems-security.com/blog/4-good-reasons-why-you-need-to-conduct-a-penetration-test/ .

InfoSecAlways.com. (2018). Penetration Testing Risks. online Available at: https://infosecalways.com/2010/08/24/penetration-testing-risks/.

Rey, J. (2018). Business Cyber Attacks Top 4,000 Per Day: Your Guide to Ransomware. online Entrepreneur. Available at: https://www.entrepreneur.com/article/284754.

Secforce.com. (2018). Benefits of penetration testing | SECFORCE. online Available at: https://www.secforce.com/blog/2011/02/benefits-of-penetration-testing/ .

Software Testing Class. (2018). Difference between Black Box Testing and White Box Testing. online Available at: http://www.softwaretestingclass.com/difference-between-black-box-testing-and-white-box-testing/