Network Penetration Testing
Network penetration testing is a security service that identifies security vulnerabilities in networks, systems, hosts, and devices by searching and examining every component in the network using the same tactics that a malicious attacker
will use to help our clients to fix these vulnerabilities.
Types Of Network Pentest:
- External Network Pentest: An external network pentest is designed to discover and exploit vulnerabilities in hosts that exist in public-facing security controls. The pentest team acts as an attacker on the open Internet and attempts
to mimic real scenarios as best as possible to identify as many potential vulnerabilities as possible. If an external host is compromised, it can lead to an attacker digging deeper into the internal environment.
- Internal Network Pentest: An internal network pen test is performed to help gauge what an attacker could achieve with initial access to a network. An internal network pen test can mirror insider threats, such as employees intentionally
or unintentionally performing malicious actions. The target is typically the same as an external penetration test but relies on some sort of authorized access or starts from a point within your network.
Network Penetration Testing Phases:
- Planning
- Reconnaissance
- Scanning
- Vulnerability Assessment
- Exploitation
- Reporting
Web Application Penetration Testing
Web application penetration testing is a security service that analyzes web applications for potential vulnerabilities by simulating a hacker operation in order to discover security vulnerabilities and misconfigurations before a malicious
hacker does.
Benefits of Web Application Penetration Testing:
- Enhanced security: Penetration testing can help you find and fix potential flaws in your web app, lowering the danger of security breaches
- Verify the effectiveness of the existing security policies and controls.
- Regulation compliance: Many industries have stringent security requirements that must be met. Penetration testing can assist you in ensuring that your web app satisfies these requirements such as PCI DSS, HIPAA, etc.
- Configuration Check: Check the configuration and strength of components exposed to the public including firewalls.
Web Application Penetration Testing Phases:
- Planning
- Reconnaissance
- Exploitation
- Reporting
Mobile Application Penetration Testing
Mobile application penetration testing is a security service that identifies any mobile application vulnerabilities that could lead to data loss or some other business damage. You can make sure that your mobile apps are secure and satisfy
your security objectives with the greatest possible efficiency and coverage by choosing the right type of penetration testing approach.
Benefits of Mobile Application Penetration Testing:
- Enhanced security: Penetration testing can help you find and fix potential flaws in your mobile app, lowering the danger of security breaches.
- Regulation compliance: Many industries have stringent security requirements that must be met. Penetration testing can assist you in ensuring that your mobile app satisfies these requirements.
- Increased market credibility: By demonstrating that you take security seriously and have undergone penetration testing, you can increase your market credibility and attract more customers.
- Cost savings: Identifying and fixing vulnerabilities before they are exploited allows you to save money on potential damage control or recovery efforts.
Mobile Application Penetration Testing Phases:
- Discovery and planning
- Assessment
- Exploitation
API Penetration Testing
An API penetration testing is a security service that simulates an external attacker or malicious insider specifically targeting a particular set of API endpoints and attempting to breach security in order to compromise the confidentiality,
integrity, or availability of an organization's resources.
In this Phase our Offensive Security Engineer use the following steps to Penetrate the API:
- Using the main App to initiate a request to the API then capture it using any proxy like burpsuite and do the test using it.
- Using Postman Request files prepared from Client side and Do the test using it.
Source Code Review
A source code review is a security service that examines the source code of an application manually or using scanners. The purpose of this examination is to identify any existing security flaws or vulnerabilities.
Types of Code Review:
- Automated Review: Enables large codebases to be quickly and efficiently reviewed. Pentester conducts this review, using either open-source or commercial tools to help find vulnerabilities in real time.
- Manual Review: A senior or more experienced penetration tester must look over the entire codebase. This process can be extremely time-consuming and tedious, but it identifies flaws, such as business logic issues, that automated tools
may miss.
Benefits of Source Code Review
- Improved Security: Reduce the number of bugs and security vulnerabilities going into production.
- Productivity Increasing: Reduce the amount of time developers spend fixing late-stage bugs, resulting in increased productivity.
- cost savings: Identifying and fixing vulnerabilities before they are exploited allows you to save money on potential damage control or recovery efforts.
Network Segmentation Penetration Testing
Network segmentation penetration testing is a security service that identifies and validates the effectiveness of network traffic restrictions between defined segments from out-of-scope networks to in-scope networks.
Benefits of Source Code Review:
- 1. Firewall segmentation: Firewalls are used to limit the attack surface by separating functional areas from sensitive ones. Naturally, enforcement is contingent on thousands of firewall rules being installed and configured correctly.
- 2. Software-defined networking (SDN): A category of technologies that separate the network control plane from the forwarding plane to enable more automated provisioning and policy-based management of network resources.
- 3. Physical layer segmentation: This occurs when two networks are separated by a physical layer, which means that there is a change or disruption in the physical transmission medium that prevents data from traversing from one network
to another.
- 4. Micro-segmentation: Some segmentation relies on host workloads to deconstruct subnets rather than subnets or firewalls. Every workload operating system includes a native firewall that blocks traffic unless explicitly allowed.
Benefits of Segmentation:
- Reduces Attack Options
- Increases Chances of Detection
- Better containment
- Improved performance
Red Team Operation
A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture.
Red Team Operation Cases:
- Active Directory Assessment
- Phishing Attacks Simulation
- Physical Pen-Test
Benefits of Red Team Operations:
- Identifies the risk and susceptibility of attack against key business information assets
- Techniques, Tactics and Procedures (TTPs) of genuine threat actors are effectively simulated in a risk managed and controlled manner
- Assesses the organization’s ability to detect, respond and prevent sophisticated and targeted threats
- Close engagement with internal incident response and blue teams to provide meaningful mitigation and comprehensive post-assessment debrief workshops.
Thick Client Penetration Testing
Thick client penetration testing encompasses both client- and server-side processing and frequently makes use of proprietary communication protocols.
Simple automatic assessment scanning is insufficient, and thoroughly assessing thick
client apps takes time and effort. Additionally, the procedure frequently calls for customized testing setups and specific tools.
Common Architectures of Thick Client applications:
- Two-Tier architecture: In two-tier architecture, the thick client application implements a client-to-server communication. The application is installed on the client computer and, to work, will need to communicate with a database server.
- Three-Tier architecture: In three-tier architecture, the client communicates with an application server, which in turn talks to the database in a manner similar to a regular web application. The most common communication method in
these applications may be carried out using HTTP/HTTPS. Three-tier architecture has a security advantage over two-tier architecture, because it prevents the end-user from communicating directly with the database server.
Threat Modeling
Threat modelling is a structured process for identifying potential security threats and vulnerabilities, assessing the severity of each potential impact, and prioritizing methods to reduce or mitigate those threats in the environment.
By performing threat modelling activities against a system design, proactive architectural decisions can be made that help mitigate threats in early stages of development. Threat modelling performed in the initial stages of the development
lifecycle enables architects to identify and mitigate potential security threats and vulnerabilities early when they are relatively easy and cost-effective to resolve. STRIDE is a model of threats implemented to help consider and identify
potential threats in the environment. The model aims to ensure that an application meets the security directives of the CIA triad (confidentiality, integrity, and availability), alongside of authentication, authorization, and non-repudiation.
Therefore, IGRC2 will perform the threat modelling exercise using the STRIDE threat modelling technique.
Methodology:
- Goal: A meeting with the relevant key stake holders to discuss the plan, scope, and requirements of the exercise.
- Scoping: Identify the scope and architecture type such as Mobile/Web Application, Cloud System, Network infrastructure, Embedded system, etc.
- Information Gathering: Understand the environment by reviewing documentation shared which may include but not limited to design, architecture, procedures, policies, and other previous assets such as risk register, risk framework, remediation
work, etc.
- Decomposition of different components: Based on the information gathering, organize workshops with relevant stake holders to decompose the architecture into its components, data flow, application and business processes and trust boundaries.
- Threat Modeling Methodology: STRIDE Threat Model as well industry research and intelligence will be used for the Threat Modelling exercise by IGRC2.