ScanWave Security Testing Methodology
Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.
It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers.
Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability.
Penetration testing can also be useful for determining how well the system tolerates real world-style attack patterns, the likelihood level of sophistication an attacker needs to successfully compromise the system, additional countermeasures that could mitigate threats against the system Defenders’ ability to detect attacks and respond appropriately.
Penetration testing can be invaluable, but it is labor-intensive and requires great expertise to minimize the risk to targeted systems. Systems may be damaged or otherwise rendered inoperable during the course of penetration testing, even when the organization benefits in knowing how a system could be rendered inoperable by an intruder.
Although experienced penetration testers can mitigate this risk, it can never be fully eliminated. Penetration testing should be performed only after careful consideration, notification, and planning.
Penetration Testing Phases
ScanWave methodology based on NIST SP 800-115 Penetration testing methodology consists of four phases:
In the planning phase, rules are identified, management approval is finalized and documented, and testing goals are set. The planning phase sets the groundwork for a successful penetration test. No actual testing occurs in this phase.
The first part is the start of actual testing, and covers information gathering and scanning, Network port and service identification and it is conducted to identify potential targets In addition to port and service identification, other techniques are used to gather information on the targeted network:
Host name and IP address information
Can be gathered through many methods, including DNS interrogation, WHOIS queries, and network sniffing (generally only during internal tests).
Employee names and contact information
Can be obtained by searching the organization’s Web servers or directory servers.
System information, such as names and shares
Can be found through methods such as NetBIOS enumeration (generally only during internal tests) and Network Information System (NIS) (generally only during internal tests).
Application and service information
Such as version numbers, can be recorded through banner grabbing. In some cases, techniques such as dumpster diving and physical walkthroughs of facilities may be used to collect additional information on the targeted network. They may also uncover additional information to be used during the penetration tests, such as passwords written on paper.
The second part of the discovery phase is vulnerability analysis, which involves comparing the services, applications, and operating systems of scanned hosts against vulnerability databases (a process that is automatic for vulnerability scanners) and the testers’ knowledge of vulnerabilities.
Human testers can use their own databases—or public databases such as the National Vulnerability Database (NVD) — to identify vulnerabilities manually.
Executing an attack is at the heart of any penetration test. It is the process of verifying previously identified potential vulnerabilities by attempting to exploit them.
If an attack is successful, the vulnerability is verified, and safeguards are identified to mitigate the associated security exposure. In many cases, exploits that are executed do not grant the maximum level of potential access to an attacker.
They may instead result in the testers learning more about the targeted network and its potential vulnerabilities or induce a change in the state of the targeted network’s security.
Some exploits enable testers to escalate their privileges on the system or network to gain access to additional resources. If this occurs, additional analysis and testing are required to determine the true level of risk for the network, such as identifying the types of information that can be gleaned, changed, or removed from the system.
Testing and analysis of multiple systems should be conducted during a penetration test to determine the level of access an adversary could gain.
The reporting phase occurs simultaneously with the other three phases of the penetration test. In the planning phase, the assessment plan is developed. In the discovery and attack phases, written logs are usually kept, and periodic reports are made to system administrators and/or management.
At the conclusion of the test, a report is generally developed to describe identified vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered weaknesses.
Segmentation Penetration Testing
A segmentation Penetration Testing is a series of penetration tests used to validate that less-secure networks are not able to communicate with high-secure networks, we are testing the controls required by international standards such as PCI DSS, SWIFT CSP, ISO, NIST CSF to make sure the segmentation in your business is working properly and doesn’t have any security threats.
Network segmentation is a common practice to reduce risk within a network environment by restricting access to high-security networks. There are three main types of segmentation that are typically used today:
3Air gap (physically independent infrastructure)
The most common form of segmentation that we encounter is through firewall rules. By isolating less-secure networks from high-secure networks, businesses can ensure that a compromise in the less-secure network does not affect the security of other high-security networks.
In addition to reducing risk, network segmentation can also reduce the time and cost associated with becoming PCI compliant. Through isolation of less-secure networks from the CDE, the requirements defined in the PCI DSS do not apply to the less-secure networks.