Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source. The goal of a penetration test is to identify vulnerabilities and weaknesses in a system or network that could be exploited by an attacker. Regular penetration testing, sometimes known as ethical hacking, is a mainstay of security evaluation programmes with the goal of mitigating cyber risk.
Identifying your organisation’s vulnerabilities by using techniques employed by real-world cyber criminals will set you on the right course to accurately evaluating risk and, where necessary, choosing the right remedial solutions.
This assesses the threat of both deliberate and accidental breaches from hackers and malicious or negligent insiders with access to your systems. Often deemed low-risk, internal attacks can actually pose a substantial threat to an organisation.
External network penetration testing is a type of penetration testing that focuses on evaluating the security of a network infrastructure. This test identifies the vulnerabilities of your computer systems through their exposure to the Internet.
A web application penetration test is a type of security assessment that involves identifying and exploiting vulnerabilities in web-based applications. The correct choice of test if you wish to ensure that your websites, webshops, intranets, extranets and web-based applications are secure.
A mobile application penetration test is an assessment of security that aims to identify and exploit vulnerabilities found in mobile applications. The primary goal of this testing is to assess the security posture of a mobile application and to identify vulnerabilities that could be exploited by attackers to gain unauthorized access to sensitive data or systems. We would recommend this test to evaluate your mobile apps and the web services that they communicate with.
The penetration testing team and the client work together to define the scope and objectives of the testing. This involves identifying the systems, applications, and networks to be tested, as well as the testing methods and tools to be used.
The penetration testing team gathers information about the target system or network, including IP addresses, open ports, operating systems, and applications. This information is typically gathered through passive or active reconnaissance techniques.
The team uses vulnerability scanning tools to identify known vulnerabilities in the target system or network. This step helps the tester to understand the level of risk associated with each vulnerability.
The team attempts to exploit the identified vulnerabilities in the target system or network. This involves using various attack techniques to gain access to the system or network, such as SQL injection, weak authentication, or brute-force attacks.
Once the team has gained access to the target system or network, they attempt to escalate privileges, install backdoors, or access sensitive data. This step is critical in determining the overall security posture of the target system or network.
The penetration testing team documents the findings and recommendations from the testing exercise. This includes a detailed report on the vulnerabilities identified, the methods used to exploit them, and recommendations for remediation.
The penetration testing team and the client work together to define the scope and objectives of the testing. This involves identifying the systems, applications, and networks to be tested, as well as the testing methods and tools to be used.
The penetration testing team gathers information about the target system or network, including IP addresses, open ports, operating systems, and applications. This information is typically gathered through passive or active reconnaissance techniques.
The team uses vulnerability scanning tools to identify known vulnerabilities in the target system or network. This step helps the tester to understand the level of risk associated with each vulnerability.
The team attempts to exploit the identified vulnerabilities in the target system or network. This involves using various attack techniques to gain access to the system or network, such as SQL injection, cross-site scripting (XSS), or brute-force attacks.
Once the team has gained access to the target system or network, they attempt to escalate privileges, install backdoors, or access sensitive data. This step is critical in determining the overall security posture of the target system or network.
The penetration testing team documents the findings and recommendations from the testing exercise. This includes a detailed report on the vulnerabilities identified, the methods used to exploit them, and recommendations for remediation.
Dionach is a cybersecurity company that specializes in providing comprehensive security services to organizations of all sizes. Dionach can conduct comprehensive penetration testing of your organization’s systems, networks, and applications to identify vulnerabilities and provide recommendations for remediation. It can help you manage your organization’s vulnerabilities by identifying, prioritizing, and mitigating them before they can be exploited by attackers. Overall, Dionach’s 23 years experience and expertise in cybersecurity can help your organization improve its security posture and protect against cyber threats.
We deliver the whole spectrum of cyber security services, from long-term, enterprise wide strategy and implementation projects to single penetration tests.
Our team works with you to identify and assess your organisation’s vulnerabilities, define enterprise-wide goals, and advise how best to achieve them.
Our recommendations are clear, concise, pragmatic and tailored to your organisation.
Independent, unbiased, personalised – this is how we define our services. We guide you to spend wisely and invest in change efficiently.
We have documented frequently asked questions about our penetration test services. If you cannot find the answer to your questions, please do get in touch directly. We’ll be happy to help.
A penetration test is an assurance service where the actions of a malicious attacker are simulated to test the effectiveness of security controls on networks, applications, devices, and services. The aim of a penetration test is to identify as many vulnerabilities as possible on a given scope. Although a variety of tools are used, at Dionach penetration testing is predominantly a manual exercise using the skills of the qualified penetration tester.
A vulnerability scan is an automated series of tests that look for vulnerabilities within a given scope, producing a report of any known vulnerabilities it finds, with templated recommendations. Although a very useful exercise, vulnerability scanners are prone to flagging false positives and false negatives. They typically only rely on a database of known vulnerabilities, and do not attempt to chain vulnerabilities together. For example, the combination of a number of lower risk vulnerabilities used in combination could lead to a critical risk issue, which the vulnerability scanner would not highlight.
A penetration test on the other hand may use a series of automated tools initially to find any known vulnerabilities, however the skills of the individual penetration tester are the driving force behind the exercise. The tester will verify the results of any scans they perform, eliminating false positives. They will look to find proof of concepts of any discovered vulnerabilities. They will also use human intelligence and a systematic methodology to manually explore and exploit any discovered vulnerabilities. This would include combining vulnerabilities, exploring business logic, and applying their knowledge and experience.
Ideally, vulnerability scanning, and penetration testing should complement each other. It is relatively inexpensive to run regular vulnerability scans against your networks and applications in order to highlight any new known vulnerabilities. However, penetration testing should still then be done periodically, and with any significant changes to the scope.
That depends upon the situation and your specific requirements. Many penetration testing engagements can be conducted remotely via the Internet, whether that be by direct access, or via VPN or VM/device shipped to your network. Remote testing does have the advantage of reducing travel costs and expenses. In some circumstances however, it may not be possible, or desirable to provide remote access to the environment, so an onsite visit may be required. Additionally, some of our clients prefer our testers to complete some or all testing onsite, so they can more easily interact during the process. Options will be discussed during the scoping exercise to find the best solution for your project.
A variety of in-house developed and publicly available tools are used throughout the penetration test. These include various scanners, open-source intelligence (OSINT) tools, vulnerability scanners, web application scanning tools, HTTP proxies, exploits and scripts customised for the application or network. These tools are continually reviewed and updated by our security specialists to ensure we are always one step ahead of the constantly evolving threats. The most important part of a penetration test however is always the manual testing process, where the qualified consultant selects the relevant tools for each circumstance, or potential vulnerability.
These refer to different contexts that a penetration test engagement can be approach.
Each of these approaches has their benefit, when it comes to gaining assurance of the security of your systems, depending upon the aims of the test. Dionach’s consultant will walk through the best testing approach for your specific project during the scoping phase.
On a typical penetration test, you will be asked to whitelist the penetration tester and their source IP addresses on any Web Application Firewall (WAF) or Intrusion Prevention System (IPS). This may feel counter intuitive, when you are looking to gain assurance of the security of your system. However, this is a common and practical means of getting the most out of your test. One thing a real attacker has is time. They can very slowly and patiently chip away at your system under the radar over a very long period of time, evading WAFs and IPS. A penetration tester has a fixed amount of time to find as many vulnerabilities as possible. As soon as a penetration tester starts a scan it is likely that they will be blocked, meaning they would have to work very slowly to avoid detection, increasing the time (and cost) needed for the engagement. Whitelisting the WAF/IPS allows the penetration tester to more easily find and highlight as many vulnerabilities as possible, that can then be risk assessed and remediated. The WAF/IPS then provides an additional layer of protection over the top of an assured secure system.
There are situations where there may be a requirement to test the efficacy of a WAF / IPS, and there are many techniques that can be used to do this. For example, doing the initial test with WAF/IPS off, to find as many vulnerabilities as possible, then doing an exercise afterwards to see how easily any serious issues could be exploited with the WAF/IPS on. During the scoping exercise, we ensure that we fully understand the requirements, and ensure we recommend the most method of testing suitable type of testing.
Although all penetration testing companies will try and accommodate your requirement for penetration testing at the earliest opportunity, penetration testing services are in high demand, especially at certain times of the year. Our advice is to plan your penetration testing requirements in advance as much as possible to make sure you have time reserved for when you need it. At Dionach we will always ensure we match your service to the most appropriate consultant at the earliest availability. If an opportunity arises to move scheduled work to an earlier date, due to changes in availability, or cancellations, we will contact you.
If during the course of a penetration test, a serious issue is discovered that poses a significant risk to the system or network, Dionach will contact you as soon as the vulnerability is confirmed. At this point, knowledge transfer is key, and the consultant will be available to go over the detail of the vulnerability, and make recommendations for remediation, or mitigation.
At the conclusion of the penetration test, the tester puts together a detailed report of the findings of the test. The first part of the report is an executive summary which is an easily digestible summary of the findings, business implications and strategic recommendations. This is easily readable for technical and non-technical people and is useful when trying to get across the business implications of the findings.
The second part of the report is a detailed description of all highlighted issues, along with CVSS scores where appropriate, assessment of impact, likelihood of exploitation, and overall risk rating. Practical guidance and recommendations are made for each issue, within the context of the scope tested. These recommendations are manually constructed and are bespoke to your specific environment. The consultant is always available to discuss any of the issues once you have read the report, to ensure the full value is gained from the test.
That’s a difficult question to answer as it purely comes down to the scope of the exercise. A small scope of a network with very few exposed services, or a simple brochure website with limited functionality may be 3 days or even less. Larger, more complex applications or large networks may take significantly longer. A larger testing requirement of multiple applications and networks may take a number of weeks. As part of the scoping process, Dionach will ensure they fully understand what the scope of your test is, and what you are looking to achieve through the test, taking into account your budget, so that the optimum number of days is allocated.
One thing to note, is that although a specific number of days may be quoted for your test, this relates to the overall accumulation of time used, rather than a consecutive number of days. For example, a 5-day test could take place over a 2-week period, depending on the nature of the network or application. Any specific timeline requirements or deadlines within your project should be highlighted at the point of scoping / scheduling to ensure we can plan around those.
Every situation is potentially different, and there can be reasons to do either of these options. Testing on a live environment is very common, and very rarely causes any issues. It is probably the most common approach to penetration testing. Some organisations may be wary of exposing their live application, and there are a number of methods that can be taken in this case. This includes replicating the live environment in a test environment to carry out the testing, but then verifying the issues on the live site. Also specific tests could be carried out on either the live or test environment, e.g. application testing on test, and network testing on the live supporting network. During the scoping process, Dionach can explore the best option that fits in with your environment.
If your websites or networks are hosted by a third party, then permission from that provider will be required prior to testing. The requirements for this vary between hosting companies, with some companies allowing testing without approval on certain services, and others needing detailed forms to be filled in in advance. In anticipation of a penetration test, it is advised that the requirements around permissions for any services that are hosted by a third party be checked in advance, as without permission, the penetration could be delayed.
At the point of scheduling, a window of testing will be established, so you are aware when we are carrying out the test. This will include the days we have allocated to testing, and also a number of days post testing where any issues discovered may need to be verified by our Quality Assurance process. Past that, Dionach’s consultants conduct all their testing from a fixed set of IP addresses, which we will supply to you prior to the commencement of the test. All activity logged from those IP addresses will be us. However, if at any time during the test there are any concerns, the consultant will be available to verify anything or ask questions.
It is good practice during a penetration test to review your logs to ensure you do detect or are alerted to the activity of the penetration test. A penetration test generates many logs, and it is good to ensure that you are alerted in some way to our activity.
It is important to ensure that regular backups are in place and effective on all systems included in the scope of testing. This is best practice. It is incredibly rare that there are any adverse effects penetration testing on an environment, and Dionach take every precaution to ensure that the integrity and availability of our client’s network or system is not compromised in any way. Dionach conduct thousands of penetration tests per year without incident. However, it is never possible to give a 100% guarantee in any situation, and having backups is purely a precaution. We would however expect no adverse effects to be experienced, and the DDI of the tester is available to contact them immediately if anything untoward is noted.
Best practice is that penetration testing of systems and networks is conducted at least annually, and also whenever there are any significant changes.
There are a number of options for retesting the results of a penetration test, and Dionach will work with you to find the best option. Some clients like to have a full repeat of the original test, after attempting to remediate the highlighted issues. Sometimes, the key issues, maybe critical and high-risk issues would be tested only. At the end of the test, the tester can help to give guidance on their recommendations for retesting, to ensure you get the most out of the exercise.
A penetration test is a point in time assessment, and therefore it isn’t normally appropriate to issue a certificate relating to the website. However, a statement of works can be provided giving an overview of the penetration testing that has taken place, that can be shared with interested parties.
Although the final penetration test report has a great amount of detail relating to findings from the penetration test, it may not always be desirable to share the full detail with interested parties. In these circumstances, a high-level summary report can be produced, giving an overview of what was tested, and the types of vulnerabilities and risk levels that were find, without revealing sensitive details. This is then more safely shared with stakeholders.
