Steps of Penetration Testing

Overview

IT network VAPT, or penetration testing, is an important task to be carried out by IT administrators.This is because of the rise in hacking attempts irrespective of the industry type. Attacks can happen from internally or externally with no or little knowledge of the network.

Some Facts

Web Attacks / Total Attacks - 58%
IP Attacks / Total Attacks - 42%
Internal Attacks / Total Attacks - 78%
External Attacks / Total Attacks -28%

Below are the types explaining how a penetration test is performed

Social Engineering :

Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt. Example of these standards include not to mention any sensitive information in email or phone communication. Security audits can be conducted to identify and correct process flaws.

Application Security Testing :

Using software methods one can verify if the system is exposed to security vulnerabilities.

Physical Penetration Test:

Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.

What are the various pen testing techniques

Manual penetration test

Using automated penetration test tools

Combination of both manual and automated process

The third process is more common to identify all kinds of vulnerabilities.

Manual Penetration Testing

Why a Pen Test Service is needed for websites or IT infrastructures, Social Engineering

The thumb that real life hackers follow, is not to use automated tools, but to do the hacking manually. This is because it is not entirely possible for tools and scripts to find all vulnerabilities. There are some vulnerabilities which can be identified by manual scan only.

Penetration testers can perform better attacks on application based on their skills and knowledge of system being penetrated. The methods like social engineering can be done by humans only. The same applies to website attacks such as SQL Injection, Cross site scripting (XSS) and cross site request forgery (CSRF). Manual checking also covers design, business logic as well as code verification.


How exactly the pentest is performed?

Data collection

Various methods including Google search are used to get target system data. One can also use web page source code analysis technique to get more info about the system, software and plugin versions. There are many free tools and services available in the market which can give you information like database or table names, DB versions, software versions, hardware used and various third party plugins used in the target system.

Vulnerability Assessment

Based on the data collected in first step one can find the security weakness in the target system. This helps penetration testers to launch attacks using identified entry points in the system.

Vulnerability Exploitation

This step requires special skills and techniques to launch attack on target system. Experienced penetration testers can use their skills to launch attack on the system.

Result analysis and report preparation

After completion of penetration tests detailed reports are prepared for taking corrective actions. All identified vulnerabilities and recommended corrective methods are listed in these reports. You can customize vulnerability report format (HTML, XML, MS Word or PDF) as per your organization needs.



Application Security Testing, Why a Pen Test Service is needed for websites or IT infrastructures

What VAPT Standard Is Used?

Why a Pen Test Service is needed for websites or IT infrastructures, Physical Penetration Test

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The goal of OWASP TOP 10 is to educate developers, architects, managers, organizations, and designers about the consequences of the most common and most important web application security weakness. OWASP TOP 10 provides basics techniques to protect against these high-risk problems and give guidance what to do next. Valency Networks performs testing using OWASP vulnerability assessment standard.

Please refer to links below to understand more about this.


Give preventive approach for securing networks


Securing network involves processes protecting the system from the attacks originating inside an organization as well as outside an organization. A very basic traditional approach of securing networks would involve user authentication, user authorization, user device protection etc. but with greater workforce, mobility of the network and complexity the network system gets prone to newer vulnerabilities and hence opening a backdoor for hackers to exploit the network. Hence securing a network would help a system to safeguard itself from huge loss.

Some of the preventive approach includes:

  1. Use layered defense: Secure each and every endpoint of the network. This would remove any single points of security failure and also establish a stability in the system.
  2. Clearly define security zones, responsibilities and user roles: Use least privilege concept and use strict rule enforcement for the firewalls for filtering traffics and access control capabilities for the security zones
  3. Maintain strict authentication policies: Deploy standard and strict authentication policies for the users and further better password policies.
  4. Accountability and control device network admission: Every user should be accountable for his/ her own device (wired or wireless) which store huge amount of data in form of intellectual property for the organization.
  5. Deployment of patches: Any patches available from the third-party vendors should be analyzed and deployed as soon as available as it may reduce the risk attacks identified by the vendor
  6. Use vulnerability scanners in regular intervals: Use vulnerability scanners like nexpose as scan the system for the vulnerabilities present in the system. Once scanned analyze the reports and apply the changes as soon as possible.
  7. Log, correlate and manage security: Aggregate and analyze security event information to provide a high-level consolidated view of security events on the network.
  8. Protect user information: VLANs should separate traffic between departments within the same network and separate regular users from guests. WLAN/Wi-Fi communications should use VPNs or 802.11i with Temporal Key Integrity Protocol for security purposes.

Apart from the above, the organization should sanction third party penetration testing for their networks. This would help them to understand the holistic way to develop the network security for the organization. This would also help them to get a better solution for a vulnerability present in the network system.


Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.