The preservation of confidential information and the reputation of the company depends on how reliably the IT infrastructure is protected from intruders. Therefore, it is so important to test its security in practice. Often, even the best set of protections can have incorrect configuration settings, which leads to the emergence of vulnerabilities and an increase in the likelihood of threats being implemented.
Penetration testing works are aimed at:
· Obtaining an independent and comprehensive assessment of the current level of security.
· Obtaining an independent assessment of employees' information security awareness.
· Development of recommendations to eliminate the identified vulnerabilities.
In the course of the work, external and internal analyses of security and testing by methods of social engineering are carried out.
Tasks solved during security analysis:
- Identification of IS vulnerabilities and methods of their exploitation.
- Checking the possibility of penetration from external networks into the local area network.
- Development of recommendations for increasing the level of security by eliminating the identified vulnerabilities.
In the event that actions (for example, the exploitation of some vulnerabilities) can lead to a malfunction in the operation of the resources under investigation, then these works are carried out only after additional approval. If necessary, depending on the selected work scenario, after testing, work is carried out to eliminate the negative impact on resources.
If, in the course of work on security analysis, a decision is made on the need to immediately eliminate the identified vulnerabilities, then the following actions are taken:
- fixing the results of exploiting the vulnerability (in the form of screenshots, recording the actions of specialists, system operation logs, etc.)
- identifying the need and agreeing on how to fix the vulnerability
- elimination of vulnerability
When performing work on security analysis, universal vulnerability scanners are used to detect vulnerabilities in applications, OS, and network infrastructure, as well as specialized software. Penetration testing works are carried out in three stages and include the following stages:
Stage 1 - external security analysis:
The work is carried out remotely using external data transmission networks (Internet).
- Drawing up a plan for conducting external security analysis and its coordination with the working group
- External security analysis
- Analysis of the results, preparation of the report, and its coordination with the working group
Stage 2 - internal security analysis:
The work is carried out at the customer's site.
- Drawing up an internal security analysis plan and agreeing on it with the working group
- Internal security analysis
- Analysis of the results, preparation of the report, and its coordination with the working group
Stage 3 - social engineering testing:
The work is carried out remotely using external data transmission networks (Internet).
- Drawing up a test plan using social engineering methods and agreeing on it with the working group
- Social Engineering Testing
- Analysis of the results, preparation of the report, and its coordination with the working group
External security analysis
The purpose of this stage of work is to test the capabilities of an attacker to carry out unauthorized access to resources and confidential information.
Security analysis is carried out according to the “black box” model (lack of authorized access, initial configuration data, and information security tools used).
As part of external security analysis, the following types of work are performed:
- collection of publicly available information about external resources available from external data transmission networks
- collection of data on infrastructure (network services, operating systems, and application software of external resources), identification of vulnerabilities using specialized software and universal security scanners
- Search for vulnerabilities of resources and their infrastructure components using security scanners and specialized software
- the exploitation of identified vulnerabilities using specialized software and manually to determine the relevance of the identified vulnerabilities and the possibility of obtaining unauthorized access to software components and confidential information
In the process of searching for vulnerabilities, the presence of, inter alia, the following main types of vulnerabilities is checked:
- code snippet injection (for example, SQL statement injection, operating system command injection
- insecurely implemented authentication and session management procedures
- cross-site scripting
- access control errors (for example, direct links to objects with confidential information, directory traversal vulnerabilities)
- unsafe software configuration (for example, enabling directory listing)
- disclosure of confidential information (for example, providing the user with personal data of other users)
- errors limiting user access to certain functions
- cross-site request forgery
- incorrect error handling, providing additional information about the system under investigation
- use of OS and software with known vulnerabilities
- open redirect
- XML external entity processing
- incorrect error handling, providing additional information about the system under investigation
- using simple passwords for authentication
Internal security analysis
The purpose of this stage of work is to check the capabilities of an attacker to implement unauthorized access to resources and confidential information.
Security analysis is carried out according to the "gray box" model (with the provision of authorized access to systems).
As part of the internal security analysis, the following types of work are performed:
- collection of data on infrastructure (network services, operating systems, and application software of external resources), identification of vulnerabilities using specialized software and universal security scanners
- Search for vulnerabilities of the Customer's resources and their infrastructure components using security scanners and specialized software
- the exploitation of identified vulnerabilities using specialized software and manually to determine the relevance of the identified vulnerabilities and the possibility of obtaining unauthorized access to software components and confidential information
In the process of searching for vulnerabilities, the presence of, inter alia, the following main types of vulnerabilities is checked:
- code snippet injection (for example, SQL statement injection, operating system command injection
- insecurely implemented authentication and session management procedures
- cross-site scripting
- access control errors (for example, direct links to objects with confidential information, directory traversal vulnerabilities)
- unsafe software configuration (for example, enabling directory listing)
- disclosure of confidential information (for example, providing the user with personal data of other users)
- errors limiting user access to certain functions
- cross-site request forgery
- incorrect error handling, providing additional information about the system under investigation
- use of OS and software with known vulnerabilities
- open redirect
- XML external entity processing
- incorrect error handling, providing additional information about the system under investigation
- using simple passwords for authentication
Social Engineering Testing
The purpose of this stage of work is to assess the awareness of the customer's employees in information security issues.
As part of testing using social engineering methods, attacks on customer employees are carried out according to the following scenarios:
- Phishing - An email attack is carried out. Example of an attack: An employee is sent a link on behalf of the company with a "new and very useful service" for his work. The letter contains a description of the service and how exactly it should help a specific employee in the work. Also, the letter contains a request to check the functionality and whether everything works correctly. The work is aimed at making an employee go to this service and try to register using domain credentials.
- Trojan Horse - An attack is carried out via email. An example of an attack: An executable file is sent to an employee, while the content of the letter may be different depending on the employee's position: an agreement for a manager, a list of errors for a programmer, etc. The work is aimed at ensuring that the employee launches the program on the local computer and at fixing the fact of launch such a program.
- Phone Attack - An attack is carried out using a phone call. The works are aimed at gaining confidence in the employee by coming up with a believable legend and then finding out the employee's confidential information or credentials. An example of a legend: “New employee of tech. the support team does the first task of deploying the service and you need to check that it works correctly. Asks the employee for help: log in on your own or tell your username and password. "
The result of the work is a report containing the following information:
- Purpose and boundaries of the work being carried out.
- The composition and methodology for carrying out work on the analysis of security.
- List of current information security vulnerabilities.
- The results of the checks were carried out.
- Results of exploiting current Information Security vulnerabilities.
Recommendations for eliminating identified information security vulnerabilities and increasing the level of security.
