From the course: CISSP Cert Prep (2021): 6 Security Assessment and Testing

Penetration testing

From the course: CISSP Cert Prep (2021): 6 Security Assessment and Testing

Start my 1-month free trial

Penetration testing

- [Instructor] Vulnerability testing merely probe systems for vulnerabilities. These tests can be active, reaching out and interacting with systems, but they're rarely dangerous, because they don't typically complete an attack. That said, actually executing an attack is the best way to understand the systems vulnerabilities. Penetration tests do this by placing security professionals in the role of attackers. During a penetration test, attackers normally begin by gathering information about systems, and then using that information to engage in actual attacks. The test is considered successful if the attackers manage to penetrate the target system. The goal is to test security controls by attempting to bypass or defeat them. Before beginning a penetration test, it's important to meet with the sponsor of the test, and clarify the permitted scope of the testing. You need to know what systems you are allowed to target and the techniques that you are permitted to use. To protect everyone from misunderstandings, these parameters should be written down in a formal document called the rules of engagement, or ROE of the penetration test. Penetration tests differ in the amount of information provided to the testers before they begin. In a white box test, the attacker has full knowledge of the network environment. It's the equivalent of simulating an insider attack. Gray box attacks fall in the middle. And the attacker has some knowledge of the system. This approach is commonly used because it combines some of the external perspective benefits of a black box test, with the time-saving nature of a white box test. In a black box test, the attacker has no prior knowledge of the enterprise IT environment, and seeks to gain that knowledge as they move through the attack phase. This is equivalent to simulating an external attack. The National Institute for Standards and Technology, NIST, suggests that penetration tests loop back and forth between a discovery phase and an attack phase. During the discovery phase, attackers conduct reconnaissance against systems and think of possible avenues of exploit. This discovery phase may include both active and passive reconnaissance, and may use a variety of tools including open source intelligence, footprinting, and the use of wardriving to discover wireless networks. Some penetration testers even go so far as to conduct war flying, using drones and unmanned aerial vehicles to search for vulnerable wireless networks. When penetration testers find a path of potential vulnerability, they move into the attack phase, where they seek to gain access to the target system, escalate that access to advanced privileges, and then browse through the network looking for new systems that they can access from that vantage point. This browsing is also known as lateral movement. They may also install additional penetration testing tools on compromised systems, in an effort to gain even deeper access to the network. For example, if penetration testers exploit a vulnerability to gain access to an application server, they might then install tools on that application server to attempt to gain privileges on the database server, supporting that application. Throughout this work, the attackers may loop back and perform additional discovery to gain new information and insight into their target environment. Pivoting is an important concept used by penetration testers to simulate the activities of real attackers. Using this technique, testers first conduct an initial exploitation of a vulnerability on a system with weak security. The trick is that this system isn't their real target. They use that system to gain a foothold on the network, and then switch or pivot to attack other systems on the same network. Pivoting allows attackers to exploit whatever vulnerability they can find, and then leverage that vulnerability to gain access to more secure systems. Another important concept used by penetration testers is persistence of their attacks. Once an attacker gains access to a system, they may install a backdoor on that system that allows them to regain access to the system in the future. These backdoors are independent of the vulnerability that the attacker used to gain initial access to the system, and may allow the attacker to discreetly retain access to the system, even after the administrator corrects the vulnerability that allowed the attack in the first place. At the conclusion of the test, attackers should work with the organization to clean up the traces of their attack, restoring any modified systems to their pretesting state. Penetration tests are often labor intensive for internal staff, and expensive when using external consultants. For this reason, they're not done frequently, but they provide valuable insight into the security of a system. Therefore, penetration tests should be an occasional part of the security professionals testing toolkit. Breach and attack simulation, or BAS platforms, seek to automate some aspects of penetration testing. BAS systems are designed to inject threat indicators onto systems and networks in an effort to trigger other security controls. For example, a BAS platform might place a suspicious file on a server, send beaconing packets over a network, or probe systems for known vulnerabilities. In a well-functioning security program, detection and prevention controls would immediately detect and or block this traffic as potentially malicious. The BAS platform is not actually waging an attack, but it is conducting automated testing of other security controls to identify any deficiencies that might indicate the need for control updates or enhancements.

Contents