A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (who do not have an authorized means of accessing the organization’s systems) and malicious insiders (who have some level of authorized access).
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
Penetration tests should be performed on a proactive basis, particularly against environments that contain Protected Health Information (PHI). Penetration tests can also be performed after a breach to help determine where an attacker may have been able to gain entry.
We can perform the following penetration tests:
- External Penetration Test (an attack against a range of external IP addresses)
- Internal Penetration Test (an inward facing attack against a range of internal IP addresses)
- Web Application Penetration Test (an attack against website URL’s in attempt to exploit web code)
Security issues uncovered through the penetration test are presented to the system’s owner. Effective penetration tests will couple this information with an accurate assessment of the potential impacts to the organization and outline a range of technical and procedural countermeasures to reduce risks.
Penetration tests are valuable for several reasons:
- Determining the feasibility of a particular set of attack vectors
- Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
- Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
- Assessing the magnitude of potential business and operational impacts of successful attacks
- Testing the ability of network defenders to successfully detect and respond to the attacks
- Providing evidence to support increased investments in security personnel and technology
Penetration tests are a component of a full security audit.
We use a combination of tools and manual attacks to perform the penetration test.
All of these tools provide comprehensive risk ranked remediation reports that will guide the client in improving the security of its systems and networks.
1. Information Gathering
Successful penetration testing relies on the ability to gather relevant information about the target network.
- Identify the operating system and services running on targeted systems.
- Control the IP ranges you want to scan.
- Select from a variety of network discovery and port scanning methods, including TCP Connect, Fast SYN, UDP service discovery and ICMP.
- Eliminate the need to purchase supplemental tools to gather network information prior to testing.
- Gather valuable data to assist with remediation efforts.
2. Attack and Penetration
During Attack and Penetration, the tools we utilize automatically selects and launches remote attacks leveraging data obtained in the Information Gathering step.
The client maintains full control over which computers are attacked and the order in which exploits are launched.
- Launch multiple, simultaneous attacks to speed the testing process.
- Interact with compromised systems via discrete agents that are installed only in memory, thereby preserving system integrity.
- Maintain control over which exploits are applied.
3. Local Information Gathering
The Local Information Gathering step collects information about computers that the tools have successfully compromised. During this step, tools gather information about OS, network configuration, privileges, users and installed applications.
- Browse file structures and view file contents on compromised systems.
- View rights obtained on compromised systems.
- Interact with compromised systems via shells.
- Gather information that can be used to attack other computers on the network.
4. Privilege Escalation
During the Privilege Escalation step, tools attempt to penetrate deeper into a compromised computer by running local exploits in an attempt to obtain administrative privileges. After Privilege Escalation, we can shift the source to one of the newly compromised systems and cycle back to the initial Information Gathering step, thereby establishing an outpost from which to run attacks deeper into the network.
- Run local exploits to gain administrative privileges on compromised systems.
- View the networks to which a compromised computer is connected.
- Pivot attacks from any compromised system to other computers on the same network, gaining access to systems with increasing levels of security.
The Cleanup step uninstalls and cleans up systems after the penetration test.
- Run tests without installing modules or tools on compromised systems (or altering them in any way).
- Quickly and easily remove all agents from compromised systems, leaving them in their original states
6. Report Generation
Our Penetration Testing service generates clear, informative reports that provide data about the targeted network and hosts, audits of all exploits performed, and details about proven vulnerabilities.
- Vulnerability Scanning Report
- Penetration Testing Report
- Web Application Testing Report
The Drummond Group
Validate the Effectiveness of Your IT Controls
A Technical Risk Assessment can be limited to solely a vulnerability assessment. However, many times it will also include potential exploitation (i.e. a penetration test). Other optional services are available as either an addition to the vulnerability assessment or as a standalone service.
Technical Risk Assessment Services
Vulnerability Assessment | The vulnerability assessment consists of network host discovery, information gathering, scanning hosts at the network-layer and application-layer with industry leading commercial tools in search of thousands of vulnerabilities, and expert-level analysis by Drummond Group Security Engineers. The vulnerability assessment can also include various types of optional testing such as authenticated scanning, user privilege escalation, and password cracking. Review policies, procedures, standards and guidelines to verify they meet best practices and/or applicable compliance requirements.
Web Application Vulnerability Assessment | In addition to the standard vulnerability assessment, the Technical Risk Assessment can include more in-depth vulnerability testing at the application-layer for web-based applications. For this phase, Drummond Group Security Engineers will gain familiarity with the web application through a series of standard user tests in an effort to learn basic information like the operating system, web server type if applicable, linked applications (databases, media servers), security mechanisms (SSL, input filtering) and language base. Once the reconnaissance phase is completed, industry leading commercial web application vulnerability tools are used to identify common coding flaws and web-based vulnerabilities, (e.g. Injection Flaws, Cross Site Scripting, Malicious File Execution, Insecure Direct Object Reference, Insecure Cryptographic Storage, Cross Site Request Forgery).
Penetration Testing | In addition to the standard vulnerability assessment, penetration testing of identified vulnerabilities may be included in the Technical Risk Assessment. Exploitation leaves little doubt as to what a hacker can or cannot do. The exploitation phase eliminates the guesswork involved in protecting your network by providing you with the information you need to effectively prioritize your vulnerabilities. Drummond Group multi-staged attack emulation will mirror the multi-vectored, privilege escalation and pivoting methods employed by today’s sophisticated hackers and malware authors, allowing organizations to identify the complex paths that attackers traverse across multiple layers of IT infrastructure to expose valuable backend data and systems.