Network Penetration Testing: Service Overview

All network penetration testing services are based around the OSSTMM methodology for security testing which is detailed below. We have found that this is the only method that fully encompasses every attack method and is the only way to ensure that there is a thorough understanding of your networks vulnerabilities.

The penetration tester is given IP address range information for the external test. And in addition if an Internal test is required, then nominated servers and desktops addresses are also supplied. From this we produce a document that is sent to one executive or IT contact in your company. As part of the testing service we will sign a non-disclosure agreement so that you can be assured that the penetration tester will not divulge any sensitive information regarding your network to anybody other than your chosen contact internally.

We perform our penetration tests against all operating systems and security devices available on the market and continuously update our methods.

OSSTMM Methodology

The OSSTMM was originally designed by Pete Herzog who was IBM’s Chief Ethical Hacker for many years.

These tests will be investigating the security from the external side of your network, around your perimeter and in the DMZ, VPN and Web services. It will take 2 days to perform these tests which can begin once we have your written approval to proceed. The information can be used to assess the next stage of your security beyond these systems if a potential hacker was to breach the security around this part of your site.

Each of the modules of the OSSTMM outputs a dataset, which can then be classified in terms of Risk Assessment Values (RAV). RAVs serve to quantify the results of each module, which in turn tells security testers how long information remains useful and ‘current’. In REAL world terms, a relative Risk Value is assigned to systems under test – each end user is willing to accept different levels of risk, and this allows them to determine how often they want regular testing to be carried out and how much risk they are willing to take on board.

OSSTMM Module

– Network Surveying – Intrusion Detection System (IDS) Testing
– Port Scanning – Security Policy Review
– System Fingerprinting – Document Grinding (Electronic Dumpster Diving)
– Services Probing – Competitive Intelligence
– Automated Vulnerability Scanning – Trusted Systems Testing
– Exploit Research – Password Cracking
– Manual Vulnerability Testing and Verification – Denial of Service Testing
– Application Testing – Privacy Policy Review
– Firewall & Access Control List Testing – IDS & Server Logs Review
Web Application Penetration Testing: Service Overview

Standards

We adhere to the following industry recognised standards and methodologies:

OWASP Open Web Application Security Project
OSSTMM The Open Source Security Testing Methodology Manual

Overview

A web application penetration test service is designed to go further than a standard network penetration test service, due to the nature of the target. It is aimed at web based applications whose main method of delivery is via HTTP or HTTPS. This includes the most widely deployed applications from Websphere, SAP, Oracle, Peoplesoft, SSA and Geac through to bespoke developments in the commonly used development languages and environments.

Traditional penetration testing services target the network defences and the host servers’ operating systems. Web security testing targets the Web application directly, which ensures that the latest attack vectors are tested. Multi-layered web architectures give deep access to internal systems such as SQL databases, and potentially the operating system itself. In addition, a large proportion of web application attacks can pass by traditional Network Firewalls and IDS systems undetected.

Web application testing is designed to be deployed in tandem with traditional network and host penetration testing. If a Web application is visible publicly when deployed across the Internet via HTTP or HTTPS or is visible to internal users when deployed in an Intranet/Extranet environment then it is a candidate for testing.

Test Offerings

Outlined below are a number of different test offerings. These can be undertaken either independently or combined as part of a more comprehensive testing program.

External Penetration Testing Service

The penetration tester will begin by running a number of vulnerability scans against the corporate external network which are designed to assess your systems and map the external configurations and security systems of the network. Once this has been completed, the penetration tester, based on these results, will then attempt a number of non-destructive attacks and manual verification of any vulnerabilities found. This involves such attacks as vulnerability exploitation, password cracking, buffer overflows etc. These attacks are targeted around the Firewall, VPN intercepts, Routers, Vulnerable Internet services and any system accessible from the Internet.

These will follow along the lines of:

– Network Surveying – Trusted Systems testing
– Port scanning – Password Cracking
– System fingerprinting – Manual Vulnerability Testing and Verification
– Services probing – Firewall and Access Control List Testing
– Automated Vulnerability Scanning – Exploit Research

Internal Security Testing Service

In addition the above concepts can also be applied to servers and devices on internal networks. This puts the penetration tester in the position of an employee/contractor and gives a good indication of the security posture of an organisations’ systems and processes from an Internal/Trusted perspective. The tests follow the same format as the external penetration test service but are typically not thwarted by the same restrictions as an external test; because of the trust assumption many organisations’ have around internal hosts/users. In around 75-80% of Internal penetration test services carried out, it is relatively trivial to navigate between hosts on the internal network once a single vulnerable host is identified and compromised.

Web Site Security Assessment

This test is designed to assess the security of an application that is being accessed via an internet connection and browser and is being served by a web application server.

The tests that the penetration tester will carry out are designed to try and exploit weaknesses in the application, and do not focus on exploiting weaknesses in the underlying server or infrastructure.

These tests are carried out without the tester being provided with details of the application structure. The testing service is carried out using a mixture of publicly available and commercial tools together with the testers own tools and experience.

These tests include the following: (Partial List)

– SQL injection – DMZ protocol attacks
– Cross site scripting – Debug backdoors
– DNS attacks – Forceful browsing
– Cookie poisoning – Buffer overflows
– Denial of service (Removed) – Site defacing test
– Directory traversal – Session hijacking
– Authentication bypass – Input validation
– CGI vulnerabilities – Attack obfuscation

All of the known web application attacks are investigated and manually verified over the course of the test.