Back to Subject

Unit 1 - Notes

INT245 6 min read

Unit 1: Planning and Scoping

1. Introduction to Penetration Testing Concepts

Penetration Testing (often called ethical hacking or white-hat hacking) is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit.

Core Concepts

  • Authorization: The distinguishing factor between a penetration test and a cyberattack is permission. A pentester must have written consent from the data owner to probe systems.
  • Vulnerability Assessment vs. Penetration Testing:
    • Vulnerability Assessment: Usually automated; identifies potential vulnerabilities; non-intrusive; breadth-focused (finds as many flaws as possible).
    • Penetration Test: Manual and automated; validates vulnerabilities by exploiting them; intrusive; depth-focused (simulates a specific attack path).
  • The CIA Triad: Testing aims to ensure the integrity of:
    • Confidentiality: Preventing unauthorized disclosure of information.
    • Integrity: Preventing unauthorized modification of information.
    • Availability: Ensuring information/systems are accessible when needed.

Threat Actors

Understanding who the enemy is helps scope the test:

  • Script Kiddies: Unskilled attackers using pre-made tools.
  • Hacktivists: Motivated by ideology.
  • APT (Advanced Persistent Threats): Nation-states or well-funded groups; high stealth and persistence.
  • Insider Threats: Disgruntled employees with legitimate access.

2. Types of Penetration Testing

Penetration tests are categorized based on the amount of information provided to the tester and the location of the test.

Based on Knowledge (The "Box" Colors)

  1. Black Box (Zero Knowledge):
    • The tester has no prior knowledge of the target network.
    • Simulates an external attacker.
    • Time-consuming and expensive due to extensive reconnaissance requirements.
  2. White Box (Full Knowledge):
    • The tester has full access to source code, network diagrams, and IP addressing.
    • Simulates a rogue insider or allows for a comprehensive audit of code/logic.
    • Most thorough but least realistic regarding external attacks.
  3. Gray Box (Partial Knowledge):
    • The tester has limited information (e.g., user credentials, but no admin access).
    • Simulates a breach where an attacker has compromised a user account.
    • Balances depth and efficiency.

Based on Target

  • Network Services: Identifying flaws in firewalls, routers, and ports (SSH, SQL, SMTP).
  • Web Application: Focuses on OWASP Top 10 (SQL Injection, XSS, Broken Auth).
  • Wireless: Assessing Wi-Fi encryption (WPA2/WPA3), rogue APs, and de-authentication attacks.
  • Social Engineering: Testing the human element (Phishing, Vishing, Tailgating).
  • Physical: Attempting to physically enter a building or server room.

3. Phases of Penetration Testing

While methodologies vary, the general lifecycle follows the PTES (Penetration Testing Execution Standard) or CompTIA Pentest+ structure:

  1. Planning and Scoping (Pre-engagement): Defining the rules, targets, timeline, and legal contracts.
  2. Information Gathering (Reconnaissance):
    • Passive: Collecting data without touching the target (OSINT, WHOIS).
    • Active: Direct interaction (Port scanning, ping sweeps).
  3. Vulnerability Scanning: Using tools (Nessus, OpenVAS) to identify potential weaknesses.
  4. Exploitation: Attempting to breach security by exploiting identified vulnerabilities to gain access.
  5. Post-Exploitation:
    • Lateral movement (moving through the network).
    • Privilege escalation (gaining Admin/Root access).
    • Persistence (installing backdoors).
  6. Reporting: Documenting findings, risk levels, and remediation steps for technical and executive audiences.

4. Organizational Penetration Testing

The Business Need

Organizations conduct pentests to:

  • Identify gaps in security posture.
  • Test the incident response (Blue Team) capabilities.
  • Meet regulatory compliance.
  • Protect brand reputation.

Teaming Concepts

  • Red Team: The attackers (pentesters) simulating an adversarial attack.
  • Blue Team: The defenders (SOC, Incident Response) detecting and blocking the attack.
  • Purple Team: A collaborative effort where Red and Blue teams work together to improve detection in real-time.

Risk Management Strategies

Testing results inform how an organization handles risk:

  • Avoidance: Discontinue the risky activity.
  • Transference: Insure against the risk (Cyber Insurance).
  • Mitigation: Fix the vulnerability (Patching).
  • Acceptance: Acknowledge the risk but do nothing (cost of fix > cost of breach).

5. Compliance Requirements

Many industries are legally required to perform penetration tests. The scoping phase must align with these regulations.

  • PCI-DSS (Payment Card Industry Data Security Standard):
    • Mandatory for entities handling credit cards.
    • Requirement 11: Requires internal and external penetration testing at least annually and after any significant infrastructure change.
  • HIPAA (Health Insurance Portability and Accountability Act):
    • US Healthcare. Requires risk analysis and protection of ePHI (Electronic Protected Health Information). Pentesting validates these controls.
  • GDPR (General Data Protection Regulation):
    • EU privacy law. Article 32 requires a process for regularly testing, assessing, and evaluating the effectiveness of security measures.
  • SOX (Sarbanes-Oxley Act):
    • US public company financial records. Focuses on the integrity of financial data systems.
  • FISMA (Federal Information Security Management Act):
    • US Federal agencies. Requires periodic testing of information security controls.

6. Pentesting Standards and Frameworks

Using a standard ensures the test is repeatable, structured, and professional.

  1. PTES (Penetration Testing Execution Standard):
    • The most comprehensive standard covering the entire lifecycle from Pre-engagement to Reporting.
  2. OSSTMM (Open Source Security Testing Methodology Manual):
    • Focuses on operational security metrics. It is scientific and quantifiable, focusing on presence, privacy, and integrity.
  3. NIST SP 800-115:
    • US Government guide for "Technical Guide to Information Security Testing and Assessment." Standard for federal compliance.
  4. OWASP (Open Web Application Security Project):
    • Specifically for web and mobile apps. The "Testing Guide" provides a framework for testing against the OWASP Top 10 vulnerabilities.
  5. ISSAF (Information Systems Security Assessment Framework):
    • Structured around specific criteria for different domains (network, OS, DB).

7. Environmental Considerations

During scoping, the specific environment dictates the tools and timing.

Internal vs. External Targets

  • External: Assets facing the public internet (Web servers, DNS, Email gateways). Focus is on perimeter defenses.
  • Internal: Assets inside the firewall (File servers, Active Directory). Focus is on insider threats or lateral movement.

Production vs. Staging

  • Production: The live environment.
    • Risk: Testing may cause denial of service (DoS) or corrupt real data.
    • Constraint: Testing is often done off-hours or restricted to non-destructive exploits.
  • Staging/QA: A mirror of production.
    • Benefit: Safe to crash.
    • Drawback: May not perfectly reflect the security configurations of production (e.g., debug mode left on).

Cloud Environments (AWS, Azure, GCP)

  • Shared Responsibility Model: The cloud provider secures the infrastructure (hardware); the customer secures the data and apps.
  • Permission: Historically, providers required advanced notice for pentests. While rules have relaxed (e.g., AWS allows standard testing without notice for many services), DDOS simulations are usually strictly prohibited.

8. Rules of Engagement (RoE)

The RoE is the formal document created during the planning phase that outlines exactly how the test will be conducted. It is the "Contract of Execution."

Key Components of the RoE

  1. Scope (In-Scope vs. Out-of-Scope):
    • In-Scope: Specific IP addresses, URLs, or subnets to be tested.
    • Out-of-Scope: Systems that must not be touched (e.g., Third-party hosted servers, critical life-support systems).
  2. Timeline: Start date and End date/time. Testing outside this window is illegal.
  3. Contact Information:
    • Primary technical contact.
    • Emergency contact (if a server crashes at 2 AM).
  4. Permitted Tools and Techniques:
    • Are Social Engineering attacks allowed?
    • Is DoS (Denial of Service) allowed? (Usually No).
    • Are physical breaches allowed?
  5. Handling of Sensitive Data:
    • If the tester finds PII (Personally Identifiable Information), should they download it as proof or just take a screenshot of the filename? (Usually the latter).
  6. "Get Out of Jail Free" Card:
    • A written authorization letter signed by senior management. The tester carries this physically or digitally to prove legitimacy if caught by law enforcement or internal security.

Documents in Planning

  • NDA (Non-Disclosure Agreement): Protects the confidentiality of the client's data.
  • SOW (Statement of Work): High-level business document regarding costs and deliverables.
  • MSA (Master Service Agreement): The overarching legal contract for the relationship.
Next
Unit 2