Penetration Test is one of the security testing methods it is used to identify the insecurity of a system, application or a network. It is conducted to find the security risk which might be present in the system. In other way, penetration test is a theoretical or paper based audit”.
Penetration test team member attempts to perform vulnerabilities in the system security of the organization using tools and techniques of the penetration test. The aim of the testing team is to find out security weaknesses under controlled circumstances to eliminate the vulnerabilities before unauthorized users can exploit them. Penetration testing is an authorized action to correct the hackers (unauthorized users) activities.
Basically, penetration testing is a hacking simulation conducted with the purpose to create an event as close as possible to a real attack to test an environment’s cyber security posture, and there are many reasons why penetration tests in important for every organization. At least during contract/Agreement the client should know who is the professional is going to do the job. This is to make sure the professional company hiring has fill file the role requirement.
Penetration test result will increase the awareness of the management people and also it will assist them to take an important decision making processes.
Definition for Penetration Test
“Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components” – Payment Card Industry Security Standards Council
Before we commence with testing, there are requirements you have to consider. You will need to determine the proper scoping of the test, timeframes and restrictions, the type of testing and how to deal with third-party equipment and IP space.
Before you can as it should be determine the scope of the test, you will want to collect as much information as feasible. Its miles vital that the subsequent is absolutely understood prior to beginning trying out methods:
• Who has the authority to authorize testing?
• What is the motive of the test?
• What is the proposed timeframe for the trying out? Are there any restrictions as to while the testing may be executed?
• Does your client apprehend the difference between a vulnerability evaluation and a penetration test?
Why this topic
With existing and new privacy legislation related data privacy it becomes mandatory for every organization to comply with these standards. GDPR is one of the new legislation which is implemented in EU early this year.
Sensitive or personal data capture by almost every single system available and it is always question how much they are secured. This is where penetration plays the role to evaluate the systems against data theft or security attacks. But this penetration testing perform is such a way to attack the systems to gather sensitive information, so what will happen to the sensitive data exposed due to security hole to the security professionals?. Also sensitive information is different geographical regions or industries. For an example, address postcode is sensitive in Singapore but not in Australia because post code will indicate the property in Singapore but not in Australia (it is the city’s postcode)
Why is this required now a day?
Cybercrime is the most popular threat to every organization in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers. Last year, Cyber security Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined. The cybercrime prediction stands, and over the past year, it has been corroborated by hundreds of major media outlets, universities and colleges, senior government officials, associations, industry experts, the largest technology and cyber security companies, and cybercrime fighters globally.
The damage cost projections are based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, and a cyber attack surface which will be an order of magnitude greater in 2021 than it is today.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm. Cyber attacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication, and cost.
The Yahoo hack was recently recalculated to have affected 3 billion user accounts, and the Equifax breach in 2017 — with 143 million customers affected — exceeds the largest publicly disclosed hacks ever reported. These major hacks alongside the WannaCry and Not Petya cyber attacks which occurred in 2017 are not only larger scale and more complex than previous attacks, but they are a sign of the times.
“We are edging closer and closer to seeing Cyber security Ventures’ $6 trillion in costs attributed to cybercrime damages globally,” says Robert Herjavec, Founder and CEO of Herjavec Group, a Managed Security Services Provider with offices and SOCs (Security Operations Centers) globally.
Penetration Test Method
This method targets the assets of an organization that are visible on the internet. The goal is to gain access and extract valuable data. Eg:- The web application itself, email ,the company website, and domain name servers (DNS).
In an internal test method, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
In a blind test, a tester is only given the name of the enterprise that’s being targeted. This gives security personnel a real-time look into how an actual application assault would take place.
Double Blind Testing
In a double blind test, security personnel have no prior knowledge of the simulated attack. As in the real world, they won’t have any time to shore up their defenses before an attempted breach.
In this scenario, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view.
Penetration Testing Tools
Steps for Penetration Test
The pen testing process can be broken down into five stages.
1. Planning and reconnaissance
The first stage involves:
o Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.
o Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:
Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance.
3. Gaining access
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access
The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.
The results of the penetration test are then compiled into a report detailing:
– Specific vulnerabilities that were exploited
– Sensitive data that was accessed
– The amount of time the pen tester was able to remain in the system undetected
This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
Scope and Goals of the Penetration Testing:
• Identifying gaps in security: Organization can identify the gap of the system security and company can develop an action plan to reduce the threat with the help of penetration test.
• Help to create strong business case: A penetration test result document will help the manager to create a strong business case to produce the security message at the implementation stage.
• To discover new threats: Penetration testing measures will help the organization to find the new threats.
• To focus on internal security resources: A Penetration test and its security analysis allow the organization to focus internal security resources.
• To meet regulatory compliances: Organization can meet their regulatory compliances using penetration testing tools.
• To find weakest link: Penetration test and security audit will assist the firm to find the weakest link in their intricate structure and it will provide baseline security for all typical entities.
• Provide validation feedback: Penetration test deliver validation feedback to business entities and security framework that lead the organization to reduce the risk in the implementation.
Limitations of Penetration Test
• Identifies potential access paths
• Identifies only those which poses threats
• May not identify obvious vulnerability
• Cannot provide information about new vulnerabilities
• Cannot identify server side vulnerabilities
Code of ethics for Penetration Tester
Each penetration tester that works for the information security industry need to have ethics in order to assist him to serve his client better and to avoid any illegal activities. f direction for this reason penetration testing companies are requiring from their penetration testers to sign the NDA (Non-disclosure agreement) so that you can guard their customers and align with the current laws depending the location as the legal framework can be different from USA to united states of America.
However the penetration tester must be aware of the current laws and need to remain completely ethical and professional always as the information security industry is not that big and a potential mistake can mark your profession. So according to my personal opinion the following are some of the ethical standards that a penetration tester must have:
– Serve and protect the client and uphold the security profession
– Never take personal copies of client’s data
– Never perform unauthorized testing
– Don’t discuss findings with unauthorized people
– Don’t publish vulnerabilities without permission
– Test everything in scope and never go outside
– Observe all legal requirements
– Act with integrity
– Avoid conflicts of interest
– Avoid FUD
– Avoid hubris
– Protect client’s data (encryption etc.)
– Don’t associate with black-hat hackers
Legal Issues of Penetration test
When considering about legal aspects, the issues which was discussed in the below can be brought up since it involves legal issues. Even though those incidents were ethical, it’s completely illegal, because it breaks the Computer Misuse Act 1990. This Act will be clearly discussed below,
The Computer Misuse Act 1990
The Computer Misuse Act 1990 is an Act of the UK Parliament. The Bill eventually became the Computer Misuse Act in August 1990.The Act introduced three new criminal offences:
– Unauthorized access to computer material
– Unauthorized access to computer material with the intent to commit or facilitate commission of further offences
– Unauthorized modification of computer material
– Making, supplying or obtaining anything which can be used in computer misuse offences
1. Legal Authority
Ethical hackers would only try to penetrate a system at the behest of the proprietor or operator of the system, or otherwise test systems with the actual or implied consent of someone with authority.
Computer crime laws, like Computer Misuse Act 1990 make it a crime to access or attempt to access a computer or computer network without authorization or in excess of authorization. What constitutes “authorization” and who can authorize such access can quickly get muddy.
So Pen Testers must make sure that they have written, signed and clearly enunciated authorization to conduct their tests.
Get Out of Jail Free
The “Get out of jail free” statement is a document that the customer should give to the pen tester to prove that penetration testing is permitted, and that the customer is authorized to give this permission. There is no unified get-out-of-jail-free form to fill in, but usually it begins with the explanation of reasons for testing followed by the pen tester’s and the customer’s names and signatures.
Sometimes, additional permissions or restrictions are required. A vivid example is penetration testing in a cloud environment. In this case, the customer’s authorization is not enough. The cloud service provider should permit penetration testing as well. They will act as the main controlling body ensuring that the test covers only the area of network that belongs to the customer.
2. Damage Control
Another legal issue that comes when pen testing is conducted on a production or live system is the potential impact a pen test may have on the users of the system. So when conducting a pen test, it is important to inform the customer in writing about the potential harm, damage or disruption that may occur even when a pen test is performed perfectly.
This “harm” or “damage” may include harms or damages resulting from the responses of users to the pen test itself for an example the tester perform the test against live system and due to an issue that cause slowness in the live system or put the system down. This includes not only “ordinary” damages, but also “consequential” and “incidental” damages as well.
You have a contract that specifically authorizes the pen test, and you have agreed that you will not be liable for damages you cause. But then there are those pesky third parties.
If you test a hospital system, When the penetration testing some patient medical records destroyed. Hospital Administration and tester signed an agreement for the penetration test but the third party patient was affected by the testing. They sue you. According to the Data Protection Act 1998, Computer Misuse Act 1990 and Human Rights Act patient medical records are more sensitive data they must protect the data from unauthorized access and secure. The sensitive data may be share with others or data lost both are greater impact for third parties.
In addition to specifying responsibility for damages, you want the customer to indemnify and hold you harmless for damages resulting from you doing what you say you are going to do.
You need to consider the scope of this indemnification. What if the customer provides you with the wrong IP address range, and you “hack” the wrong person? The indemnification can include the damages from the other system having to respond and/or secure them. But what if the FBI kicks in the door of one of your pen testers and injures (or worse) the pen tester, a colleague or a family member because someone reported the pen tester as a “hacker?” Who is liable for the damages then? Again, these are all points of negotiation, but you will not know if you do not ask.
Back-hack is the process of identifying attacks on a system and, if possible, identifying the origin of the attacks. Back hacking can be thought of as a kind of reverse engineering of hacking efforts, where security consultants and other professionals try to anticipate attacks and work on adequate responses.
5. Scope of Work
Also, a pen test agreement should specify exactly what will and will not be done, and the assumptions that underlie the agreement. For example, if the pen test is simply an “external” vulnerability assessment, we need to define the perimeter (what is “external”) and the scope of the test. The same is true for an internal pen test, what is being tested, how and for what purpose. Avoid terms like “state of the art” that have no real meaning, and simply elevate expectations. Nobody and I repeat nobody ever uses “state of the art” anything. By the time the agreement is signed, the state of the art has moved on.
What kind of pen test are you conducting? Are you just doing a port scan? Turning on NESSUS and leaving? And what do you warrant and represent that you will find? A typical pen test should warrant that the pen tester will use the type of professionalism and skills commonly found in the industry, but not make promises that the test will find all, or even substantially all vulnerabilities or misconfigurations. Remember, it is as important to document the lack of findings as it is to document the findings themselves.
7. Licensing and Certification
GIAC offers certification in penetration testing (GPEN.) Similarly, IACRB offers certification in pen testing proficiency (CEPT.) The EC Council offers licensing of penetration testers (LPT).
8. Venue and Jurisdiction
Another key issue in pen test contracts is to determine where the pen test is being conducted. The laws have differentiated among the countries.
9. Privacy Issues
A successful pen test can result in the pen tester getting into a computer or computer network that they should not have had the ability to access. Also, it may include accessing data or databases which contain sensitive personal information, credit card information, personally identifiable information (PII) or Private Health Information (PHI).
The pen test may expose the tester to sensitive information about citizens of the European Union, such as sexual orientation or political affiliation, data whose privacy is protected by law. Is the access to that information by the pen tester a “breach” of the database which must be reported? Must the pen tester sign a “Business Associate Agreement” agreeing to protect the data they just accessed? The pen tester must understand the scope and extent of their duty to protect all data they access.
10. Data Ownership
One issue that rears its head during pen tests is, who owns the information that results from the test? Clearly, the pen tester owns the methodology and the report template. Clearly, the customer “owns” the findings and recommendations. But what if the pen tester develops new methodologies for conducting pen tests or solving configuration problems on the customer’s dime? Who owns these “works for hire?” Another matter for the lawyers to resolve.
11. Duty To Warn
Saying that the customer owns the report of the pen test creates another problem. Networks rarely stand alone. They are interconnected. What should a pen tester do if they discover major unplugged vulnerabilities that will impact customers, third parties, or the population as a whole? Is their duty only to tell the customer and keep quiet? What if they discover a zero-day vulnerability that may have system wide or industry wide impact? What should they do then? Even if the customer “owns” the data, does this mean that the customer can control the use of the knowledge the pen tester obtains? It’s all a matter of what the contract says, and what the Courts will enforce.
Ethical Issues of Penetration test
Ethical is a study of morality. Penetration test is hard to define the line between ethical and unethical. There will be definitely grey area which in-general professional reach to perform the test. When the testing penetration tester take personal copies of client’s data, perform unauthorized testing, tester discuss findings with unauthorized people, Publish vulnerabilities without permission and tester associate with hackers these things are against over the code of ethics concerns.
Social Issues of Penetration test
During penetration testing, to conclude more accurate outcome or intend to supply will be consider as misuse of the resource which could be software, hardware or data. There are acts in place to take action against this. But that acts are different from country to country and they get amend when these issues occurs to cover personal data.
There are issue which could affect not an individual but community or group. To prevent that the acts cover human believes as well, for an example religion beliefs, ethnicity beliefs. Publishing the test result to destroy company reputation
Professional Issues of Penetration test
There are some professional issues which may arise between a tester and his client, testers performed Ineffective activities, Organization mostly hiring testers from outside they can’t perfectly known about the tester so, on what ground, he should be given access of sensitive data and they provide Consequences of investigating. Customer will be blamed or suspected of any data loss or share. Who will take the guarantee of security of the lost data? The client may blame for the loss of data or confidentiality to tester
Suggestion for the issues
Penetration Test concerns with IT Professionals development
Now a day Cyber attacks are the fastest growing crime, and they are increasing in size, sophistication, and cost. Every organization wants to test their system defending measurement regularly.