What is a Penetration Test

Penetration testing is an authorized simulation of an attack on a system, network, or application to find potential vulnerabilities that can be exploited.

3 Categories of Pentesting

Pentesting can also be loosely placed into 3 categories, black, gray or white box testing.

The black box testing model is done from the perspective of an outsider with limited knowledge of the application, network, systems or policies in place. This simulates a realistic attack scenario but can also come with disadvantages. Time spent by the tester in this scenario might not be fully maximized and some components might go untested.

The white box testing model is done with full knowledge of the relevant target, which can be obtained from functional and technical specification documents, network and architecture diagrams, privileged account access, and other information sources. This results in a more thorough test that would ideally reach all areas of the application, such as the architecture design and issues arising from coding practices. However, this form of testing requires more effort to conduct and might present a pessimistic view of the issues and risks regarding the target.

The gray box testing model lies somewhere in between the black and white box testing, with the tester having partial knowledge of the target.

6 Steps of Pentest Process

There are many ways to describe the penetration testing process, but in general it can be structured into 6 steps:

1. Planning
2. Reconnaissance
3. Threat Modeling
4. Testing and Exploitation
5. Post Exploitation
6. Reporting

In the planning phase, the aim is to ensure the smooth execution of the penetration test. In this stage, we would decide:

Scope of the test, including the type of test (white, gray, black box), the hosts while addressing any other limitations such as timeframe and rules of engagement. Logistical requirements such as test accounts, keys, IP whitelisting or Technical Specifications Documents, Functional Specification Documents and Architecture Design Documents.

In the reconnaissance phase, we are gathering information about the target to gain information about possible attack vectors. In general, this is Open Source Intelligence gathering from public sources, which can range from passive to active methods.

Passive methods do not involve direct interaction with the target, and consist of information gathered from third parties, such as WHOIS queries.

Active methods can include port scanning, banner grabbing, and zone transfers. There are many tools that can accomplish this, such as Nmap, as well as different query methods to avoid detection by the host.

In the threat modeling phase, we define the assets and processes that could be targeted in an attack and the potential impact on the company. Potential threat agents and capabilities are also part of the analysis and are taken into account.

During testing and exploitation, we will discover vulnerabilities in the systems and applications and attempt to validate them by affecting Confidentiality, Integrity, and/or Availability.

Once we have found a potential vulnerability, exploiting it could happen in a variety of ways. It could be as simple as providing unexpected input, writing a python script to produce a sequence of inputs, a large amount of text for buffer overflow or using Metasploit modules to execute a reverse shell, to upload and execute a web shell.

Post Exploitation describes a number of actions, but generally, it would include data exfiltration, maintaining persistence, and covering the tracks of the exploit. Extracting the data can be done via FTP transfers, display via shell access or a number of other methods. Maintaining persistence ensures that the attacker, for example, Horangi, is able to stay within the target environment, even if an event such as a password change occurs, or the host is restarted. Examples of this could be uploading a web shell or activating a remote access service and creating an account for access.

Ideally, we would also want to erase traces of our access and exploit, from erasing system logs, returning original privilege levels, restarting crashed services or any other changes made that could be detected.

Last but not least, the reporting phase is essential in communicating the findings. The scope of testing, risk assessment, recommendations for remedy, approach, and objectives should be clearly stated.

Summary - Protect and Get A Cyber Insurance

In conclusion, plan with a penetration test process in mind.

Follow these guidelines recommended by Oasis Web Asia Team.

1. Once your website development or mobile app development is completed, schedule a penetration test such as OWASP with a crest certified security vendor.
2. After the test result is returned, get your web/app vendor to fix the issues mentioned.
3. Run a final test to get all critical and high-risk issues cleared.
4. Now you are able to launch your application in the production / live environment for your customer to use.

Now, we encourage you to buy Cyber Insurance for your website platform or mobile application since you have the verified report by the security vendor.

What is Cyber Insurance

On its initial introduction, it was not uncommon for Singapore businesses to scoff at the idea of purchasing Cyber Insurance. In particular, small and medium enterprise organizations did not see the need or urgency for such coverages. In recent years, for obvious reasons, this notion has begun to shift. A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage, is designed to aid an organization in mitigating their risk exposure by offsetting the costs involved in the recovery after a cyber-related security breach. You can contact the insurance/underwriting agencies like Tenet Sompo or Prudential to get your insurance. 

What is covered?

1. First-party coverage to reimburse an organization for the expenses incurred from the cyber-attack / PDPA fines.
2. Third-party liability to protect the insureds in the case of a hack of their data that impacts other, affiliated businesses. (Clients and Customers)
3. Other coverages may include business interruption, privacy liability, costs of notifying customers, legal expenses, recovering compromised information, and repair to damaged computer systems.

Make sure you engage a web development or mobile app development agency that has evidenced capabilities or portfolios in developing applications that contain penetration test processes before.

If your project manager did not discuss with you on security, it is a telltale sign that your website / mobile that is going to be developed is more hacking prone with many corners cut. 

There is an old warrior mantra that Team Oasis states: “The more you sweat in training, the less you bleed in battle.”