PENETRATION TESTING Q&A
Q. What is penetration testing?
A. Penetration testing, or pen testing, is a simulated, authorized cyber-attack on a computer system performed to examine its resilience to security vulnerabilities. Pen testing may involve an attempted breach of application systems (e.g., APIs, back-end/front-end servers, DBs) to reveal weaknesses and vulnerabilities, such as unvalidated inputs, Authentication bypass, Cross-Site Scripting, SQL injection, RCEs and much more. Recommendations and mitigations strategies gathered from the test are provided to customers to help them mitigate the vulnerabilities found.
Q. What is the difference between vulnerability scans and Pen Tests?
A. Vulnerability scans are high-level, automated tests that search for and report on possible vulnerabilities. While vulnerability scans are good for a preliminary “sanity check” they are no replacement to professional penetration tests. As these scans are automatic, they lack the ability to understand the logic of the system. Pen tests are comprehensive, hands-on investigations by real security researchers (often called ethical hackers) who test the system with an attacker’s point of view and understand and exploit the “guts” of the system.
Q. Types of pen testing and their differences?
A. Traditionally, Pen test can be done in 3 main approaches, which deviate in the amount of access & information given to the pen tester:
In this approach, the only access to the application the tester is given is regular access like any customer. The tester does not have access to view the source code of the application nor the configuration of its servers. Like its name, this approach treats the application as a “black-box,” i.e. a sealed box of which the inner functionalities are not visible.
Here the tester is exposed to everything, the source code of the application, its design documents and any other element he may think will help in the test. In this respect the tester can compare the behavior of the application with the actual source code, to understand and exploit vulnerabilities. This approach focuses on deep and internal faults of the system.
This is a mixture of the above methods. In a gray-box, the pen tester can be given some information about the system like frameworks being used, the OS of the servers, etc. But usually the tester won’t be given access to the source code of the application, or access as an administrator of the system. The tester and customer predefine exactly what information should be provided.
In addition, the target of a PT can vary from on-premise systems to cloud-based systems, from web to mobile applications and from small one-page marketing sites to big and complex architectures. Systems may be external-facing systems as well as internal employee-only systems.
Q. Where do vulnerabilities take place mostly?
A. There is no straight answer to this question as vulnerabilities can be present anywhere in the organization: main websites, core systems, remote access systems, mobile apps, and management systems. It’s true that many “low hanging fruit” vulnerabilities exist in overlooked corners of an organization, for example an old testing environment of a side channel system is prone to have old and outdated frameworks. The attacker does not care that the system is not in use, or forgotten, as long as he can exploit it and make it an entry point to the organization’s internal network. An organization should always be aware of its weak spots by regularly performing penetration tests on every system and on its entire network.
Q. Who needs penetration testing?
A. Pen testing lets companies control risk, improve business continuity, and keep customers int the know about potential threats to attacks and data breaches. In strictly controlled fields, such as banking, service industries, and healthcare, it also helps businesses remain compliant.
Any company that stores its data in systems digitally needs penetration testing to manage risk, increase business stability, and assess & increase their security level. Hackers are constantly searching for vulnerable systems and organizations to attack for private gain, ideology and even for fun. An organization must always reassess and improve its security, it’s not a question of if, but when an attack will occur.
Q. How often should you Pen Test?
A. An organization should perform penetration testing repeatedly in a defined amount of time, in context to the sensitivity of the system and the amount and significance of changes it undergoes in a specific period. We recommend anything between twice a year for rapidly growing startups to once every 18 months for a slower pace development of a system, to always be one step ahead of bad actors.
Specific regulations (e.g., PCI-DSS, GDPR, ISO 27001 and SOC-2) also require penetration tests to be scheduled regularly. Tests should also be done whenever a company:
Adds a new system, application or network infrastructure
Applies significant modifications or upgrades to applications or infrastructure
Establishes new office sites
Q. What should you do after a Pen Test?
A. A product of a penetration test should be a detailed report with technical information on how to reproduce the vulnerabilities found. As an organization, you need to make sure the technical side (developers, administrators, DBAs) understand the vulnerabilities.
In the report comes mitigation recommendations for each finding. You should consult with the pen testers and form a mitigation plan. After executing the mitigations, perform a re-test of all findings (by the pen tester).
Q. Who are we?
A. Komodo Consulting is a high-end cybersecurity firm specializing in Penetration Testing and Red-Team Exercises and Application Security. Komodo provides services across many verticals, including banking, insurance, hi-tech, automotive, energy, communication, critical infrastructures, healthcare, and international mega-brands. The company was founded by leading security specialists with decades of information security experience and the team includes variety of security professionals with both military and academic background in cyber security and computer sciences.
Q. What is your approach to conducting penetration tests?
First, we do an initial in-depth interview with the customer, where we try to understand their system, its architecture and the solution so we can establish the proper threat landscape. In this stage we will learn how many and what kind of users and permission groups are accessing the system. We will also learn whether its an internal or external system, what technologies are in use, is the system on-premise, mobile or on a Cloud environment. Then we suggest what kind and what scope the penetration test should contain.
We believe in in-depth assessments, after we understand the logic and architecture of the system, we search for vulnerabilities while using common tools in the industry like: Fiddler, Nmap, Burp, DirBuster, and many more. We also use internally developed tools and scripts.
If this is a grey-box or white-box penetration test we may be also reviewing parts of the code or the security layers of the architecture to produce threat model and verify the design is secured.
After the penetration test, we provide a detailed report which contains both a high-level, bird’s eye overview on the security of the system as well as detailed technical information on how to reproduce each finding and the recommended fixes and mitigations.
Following the penetration test, the customer is required to fix the vulnerabilities. From our experience, the bigger the company, the slower the process.
Usually, our pen test is performed in a staging or testing environment; hence, there is no risk to customer data loss, however, many times we are required to perform these on production environments, due to customer’s requirements.
Q. Why should you choose Komodo Consulting?
A. Over the years, Komodo has conducted thousands of successful Penetration Testing and Red-Team projects for leading businesses, including Fortune 500 companies in Europe, the US, and Israel. Komodo excels in providing the full gamut of application testing to preventing cyber-attacks - from its red-team engagements; to testing systems, networks and applications; conducting security assessments and design reviews; through to application security review and training by our AppSec experts. We have you covered for all your specific cybersecurity needs!