Penetration Testing Principles

1. Penetration Testing Overview

---

What is penetration testing?

Penetration testing tests your existing cybersecurity measures to try to find vulnerabilities that attackers could exploit. Pen tests give you insight into how attackers might try to breach your networks so you can close gaps and stay one step ahead.

Pen tests can be done in house, but generally they are done by a third party who uses a variety of tools and methods to try to penetrate your network. These tests resemble real-world attack methods attackers may use. The goal is to discover vulnerabilities, misconfigurations and other security weaknesses before an attacker can exploit them and put your organization at risk.

If an attack (or penetration from a pen test) is successful, the attacker could:

• Gain access to personal health information (PHI)
• Get access to personally identifiable information (PII)
• Steal credentials
• Steal data and records
• Launch malware
• Make lateral movements across your network (potentially for weeks or months before you even know they’re there)
• Access credit card and other financial information
• Disrupt business operations
• Hold your systems and operations hostage and demand a ransom
• Destroy your data

Pen tests help uncover weaknesses within your attack surface so you can make plans to remediate them before threat actors can exploit them.

Pen tests are a complementary component of your vulnerability assessment program. As part of vulnerability assessment, your organization should do routine vulnerability scans that give you insight into all the assets and vulnerabilities across your enterprise. Pen tests help you verify if an attacker can exploit these weaknesses and evaluate the success of your remediation efforts.

To build a comprehensive vulnerability assessment program, conduct vulnerability assessment scans on a continuous basis and then do pen testing periodically. Some compliance guidelines call for annual pen testing, but you may build a stronger cybersecurity program if you conduct these tests more frequently — for example, at least quarterly.

The Importance of Pen Testing

Here are some reasons why your organization should adopt penetration testing as part of your comprehensive cybersecurity program:

• Pen tests help you discover if you have vulnerabilities or other security weaknesses attackers could exploit to get access to your network, data and assets.
• These tests can give you insight into how well you’re meeting compliance standards and where you have security issues.
• Pen tests can also help you determine if your security controls are working as you expect them to.
• You can test applications your organization uses to see if there are programming mistakes that can give attackers access to your network.

2.Penetration Testing Goals and Processes

---

Generally, there are five phases for penetration testing.

1. Your pen testing process begins with determining who you want to conduct your test — whether an in-house resource or a third-party pen tester. This phase should include setting goals and objectives for the pen test outcome. These goals should be specific to your organization and should align with your existing cybersecurity and business goals.
2. Next, determine the scope of your test. For example, do you want the tester to target your entire network to see what they can uncover? Or do you want to set parameters for the test and have the tester target only a specific subset? The scope will help your tester develop a plan of attack against your target(s).
3. After setting your scope and targets, it’s time to begin testing. The tester will begin by doing a number of scans on your target to gather as much information as possible about existing security protocols and to try to find security weaknesses and vulnerabilities. Once the pen tester has an understanding of your security measures, the tester should use a variety of exploitation methods to try to gain access, just like an attacker in the real world would do. After gaining access, the tester will determine if extended access can be maintained and what additional systems can be accessed from the breach. When the test is complete, the pen tester should remove all evidence of the attack including scripts and logs used during the testing phases.
4. After your pen tester completes the test, the tester will provide you with a report on findings. The report should highlight what the vulnerability is, how it was breached, where there are gaps in your existing security measures and the impact that a breach could have on your organization. You should review these findings and make plans for mitigation, starting with the most critical vulnerabilities with the greatest potential impact on your organization.
5. Once you’ve implemented your mitigation plans, it’s a good idea to follow up with additional pen testing to see if your fixes work as you intended and whether or not new vulnerabilities have surfaced since your last test.

Penetration Test Approaches

There are different approaches to pen testing, the two most common are white-box testing and black-box testing.

In white-box testing, your organization will provide your tester with information about your intended target. White-box testing also generally takes place within a credentialed environment.

In black-box testing, you don't share additional information about the target with your tester and the pen tester generally conducts network sweeps without using credentials.

Grey-box (gray-box) testing is another approach to penetration testing. As the name implies, it’s somewhere in the middle of black-box and white-box testing. Here, your organization provides the tester with partial details about targets.

Nessus Expert is a great complementary tool for these approaches to penetration testing.

Penetration Testing Methods

In addition to the approaches to pen testing, pen testers may utilize a variety of testing methods during an engagement with your organization. Here are some examples:

Targeted testing: During targeted pen tests, your internal IT teams work together with your third-party tester to try to breach your attack surface. During these types of tests, both parties share information about what the tester is doing to initiate the attack and how your team is responding to block it. Not only does this type of testing give you information about where you may have vulnerabilities, but it also gives your team real-world experience in attempting to stop a hack while it’s happening.

Blind testing: Blind testing is a hacking scenario where all the tester knows is your URL or your organization’s name and your teams are only aware that you’ve given the go-ahead for testing. Here, your tester attempts to gain access to your network and systems in real time with little-to-no additional information about your company or security posture.

Double-blind testing: Double-blind testing is similar to blind testing, where the tester has limited information about your organization; however, unlike blind testing, your teams do not know that you’ve authorized a test and that an engagement is underway.

External testing: In external testing, the tester attacks your external-facing assets and systems, for example web servers, firewalls and email servers.

Internal testing: Internal testing gives testers access to your systems behind your firewall and simulates what would happen if an employee or a person with stolen credentials got unauthorized access to your enterprise systems.

Penetration Test Frequency

Your organization should plan for regular pen testing. While some compliance regulations call for annual tests, you may find it more beneficial for your overall cybersecurity posture if you do them more frequently, for example, at least once each quarter.

Pen tests give you a point-in-time snapshot of your security posture. Since your attack surface constantly changes and expands, routine pen tests may help you find holes and gaps in your existing program and enable you to remedy them before an attacker can exploit them.

3. Pen Tests and Vulnerability Management

---

• There are differences between vulnerability assessment and penetration testing, but the processes complement one another.
• Pen testing is a stand-alone activity that gives you a picture of your cyber risks at a single point in time.
• Vulnerability management is an ongoing program that uses a variety of technologies and tools to identify cyber risks across your entire organization, align them with your operational goals and objectives and then remediate vulnerabilities in a timely manner to secure your network and keep your operations safe.
• Pen tests help you define areas of improvements to strengthen your vulnerability assessment processes.

4. Pen Tests and Vulnerability Assessment

---

• There are differences between vulnerability assessment and penetration testing, but the processes complement one another.
• Pen testing is a stand-alone activity that gives you a picture of your cyber risks at a single point in time.
• Vulnerability assessment is an ongoing practice that gives you visibility into all of your vulnerabilities. Each time you run a new vulnerability scan or conduct a new penetration test, you have the opportunity to uncover new information about your cybersecurity posture.
• Pen tests help you define areas of improvements to strengthen your vulnerability assessment processes.

Vulnerability Scanning and Pen Testing

Vulnerability scanning is a component of penetration testing. It’s a way to discover vulnerabilities and weaknesses within your attack surface and can help testers uncover which ones to target during a test.

Vulnerability scans can span across your entire attack surface or the tester may be limited to a specific subset. Here are some subset examples, some of which may be included in specialized tests:

• Internal networks
• External networks
• Cloud environments
• Internet of Things (IoT) devices
• Industrial Internet of Things (IIoT) devices (Industry 4.0)
• Operational technology (OT) devices
• Containers
• Web apps

5. Penetration Test Tools

---

Penetration testing has long been a manual process that relies on the training, skills and innovative thinking of testers to try to breach your attack surface. Today, however, testers are supported by automated tools to help initiate tests on intended targets. One of them is Kali Linux.

Kali Linux has more than 600 penetration tools and is a free resource. It can be used for penetration testing, reverse engineering, tech forensics and research.

Tenable Nessus is not installed on Kali Linux by default, but you can easily install it and then use it to support pen testing engagements. Nessus can help your pen tester find local and remote vulnerabilities, check for default credentials, assist with configuration and compliance audits, and do web application scanning. You can read more about how Nessus supports Kali Linux pen testing here: https://www.tenable.com/blog/getting-started-with-nessus-on-kali-linux.

6. Nessus Vulnerability Scanning

---

Nessus Expert is an effective tool to help you discover vulnerabilities across your attack surface. It supports scanning across a variety of asset types such as operating systems (MacOS, Windows, Linux), applications, network devices and more.

Nessus comes with pre-built templates for credentialed and non-credentialed vulnerability scans. These templates, together with pre-built policies, help pen testers get the most out of their testing engagements. Nessus gives testers visibility into your organization's network and testers get an upper hand by being able to quickly uncover weaknesses and vulnerabilities.

Nessus templates support compliance frameworks such as Center for Internet Security (CIS), Health Insurance Portability and Accountability Act (HIPAA), Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIG) and others. You can also customize templates, including creating preferences to avoid false negatives or false positives.

Nessus has more than 189,000 plugins, which are automatically updated. It has coverage of more than 77,000 CVEs and more than 100 new plugins are released every week. That means with Nessus, pen testers get accurate, timely information about the latest vulnerabilities and malware.