Intrusion Test: Simulation of a Targeted Computer Attack

A penetration test is a specialized test that evaluates in a controlled manner the security of an organization’s information systems, and its execution is essential to identify vulnerabilities, reduce risks and proactively strengthen the security of these systems.

In order to avoid incurring in a crime, these tests are carried out after a perfectly defined agreement with the entity that resorts to these security analyses, establishing the limits of the actions to be performed when the professional who executes them penetrates an information system exploiting its weak points, both technological and human, emulating exactly what a cyber attacker would do.

The penetration test is a formidable tool for determining the protection needs to be taken into account when minimizing the probability of being a victim of a cyber-attack. By approaching security from the offensive point of view (RED TEAM), it stands out as an element that helps to know in the best possible way how defenses could be compromised in the face of a real incident with criminal intentions. When executed in a professional, secure and controlled manner, it is possible to discover vulnerabilities that, for a more generic analysis, would go unnoticed.

On the other hand, the current market demand to demonstrate the greatest possible commitment to cybersecurity, leads companies to certify themselves in regulations and standards that, in order to obtain them, require resorting to ethical hacking as a measure that guarantees the solvency in this area.

Types of penetration tests

There are several types of penetration tests, depending on the amount of agreed-upon information available to perform them:

• Black box test

We speak of a black box test when there is no information provided by the contracting party (credentials, etc.), because it requires the penetration test to reproduce step by step what a malicious agent would do if he/she wanted to launch a cyber-attack from the outside.

• White box test

When data provided by the entity under security audit (such as IPs, passwords, etc.) are available, we are dealing with a white box test, which allows us to know the extent of the weaknesses of a system subject to an attack perpetrated from a precise knowledge of the organization.

• Gray box test

We speak of a gray box test when, without having complete information (as in the previous case), but also without completely lacking data (as in the first of the types described here), there is a certain level of access to the system and it can be used with bad intentions.

Methodologies

Although there are several methodologies, the Penetration Testing Execution Standard (PTES) and the Open Web Application Security Project (OWASP) are widely recognized in the industry.

The first details the seven phases of a penetration test:

1. Pre-interaction (planning phase agreed with the client to determine scope, objectives and conditions)
2. Information gathering (version of operating systems, installed software, ports, services, employee data, etc.)
3. Threat modeling (identification of attack vectors from a cybercriminal’s point of view)
4. Vulnerability scanning (discovery of security flaws that compromise the system and allow access to data or execution of malicious code)
5. Exploitation (hacking of detected vulnerabilities)
6. Post-Exploitation (sustained control over time of the systems under test, with the intention of further escalating privileges, lateral moves, etc.)
7. Report (documentation of the results, pointing out the vulnerabilities detected and the actions to mitigate them).

The second is considered the standard for web application pentesting, evaluating its robustness against the threats that proliferate in the digital context.

Pentesting, much more than vulnerability analysis

Pentesting is essential for any organization that wants to protect its systems and networks from computer attacks. It is used to detect possible breaches or failures. This makes it easier to take corrective or preventive measures that make it difficult for a real attacker to compromise the integrity, confidentiality or availability of information or resources.

A penetration test is not limited to scanning for vulnerabilities by applying tools specifically designed for this purpose (such as, for example, Nessus). In fact, the professional practice of ethical hacking goes beyond this aspect, since its execution also makes it possible to evaluate the robustness of an information system in the face of a real attack scenario.

In this regard, it is important to bear in mind that cybercrime will not limit its actions to using only known exploits. The continuous incorporation of new techniques, which broaden the definition of a cyberattack, makes it absolutely necessary to carry out pentesting tasks with professionals whose knowledge is not limited to what is officially contemplated from the knowledge that feeds the databases on vulnerabilities that are disseminated by prestigious entities.

Severity and system security risk assessment

The process of delving into the weaknesses of a system makes it possible to identify and classify them according to tools such as the internationally recognized Common Vulnerability Scoring System (CVSS). This helps to know their level of severity, which allows to prioritize and address the most critical threats efficiently, focusing on closing the most urgent security breaches.

It should be noted that the indicator we have just mentioned includes, in its latest version 4.0, metrics that take into account the security of human beings. This is not the only new feature incorporated. One that is directly related to the topic we are dealing with is a new exploitation metric, called ATTACK REQUIREMENTS (AT). This considers the deployment and execution conditions that allow a malicious attack, an aspect of great interest with respect to penetration tests.

JakinCode security audits and penetration tests

Through professional services such as those offered by JakinCode, based on recognized methodologies and absolutely respectful of legal and ethical standards, organizations can increase their resilience against constantly evolving digital threats. In addition, JakinCode can design intrusion tests tailored to the needs of clients who request them, without necessarily having to be related to technical vulnerabilities. An example of this would be the evaluation of compliance policies.

Penetrating a system without permission is illegal, which is why JakinCode contractually stipulates the conditions of the penetration test as a preliminary step to its implementation. Hence, in addition to the purely technical aspects, the legal aspect must also be taken into account, since accessing a system requires the inclusion of clauses defining the authorization of its owners. Under no circumstances may the person in charge of the intrusion test use the data accessed in the course of his work for his own benefit, or cause damage to the entity requesting his services.