Here are the seven main phases of a Penetration Testing Project:
1. Planning a Pen Test
Pre-Project planning here includes discussions on what we are testing, pricing for the Pen Test, what types of tools to use, Rules of Engagement (ROE),
appropriate times to perform testing and much more must be agreed upon before proceeding.
- Identify what is to be tested and what would the impact would be if this testing target was interrupted by the test
- Agree on what level of testing will be performed and what the cost of this project will be
- Rules of Engagement: Project timeline, test location(s), daily time restrictions, transperancy and testing boundaries
- Communication during Project and chain-of-command for client response
- Impact Analysis: Can this test negativly impact client's ability to conduct business?
- Emergency Response: what if these tests do impact or take down client's services and how to restore normal operations
2. Legal Concepts and Agreements
Some of the legal agreements both parties must sign off on before moving forward with the Pen Test:
- Non-disclosure: Protect the existence of the test and assure no private or proprietary client information is shared
- Statement of Work (SOW): Critical to the Pen Test, what is expected of the client and the tester, what work will be performed
- Master Service Agreement (MSA): “Map key” of terms that will appears in other documents, terms agreed upon by both parties and need legal review
- Payment terms, delivery requirements, intellectual property rights, warranties, limitations, dispute resolution and how disagreements are resolved
3. Scope of Work: Goals, Rules & Strategies
The Scope of Work defines the type of test: Goals-based, Compliance-based, Red Team, Pre-merger or Supply Chain.
- This scoping of specific targets
- Types of testing strategies Black - Gray - White Box alude to how much information is shared with tester before the exploit
- Define scheduling of testing, threat types and threat models of specific attack vectors like Ransomware infections
- HIPAA Compliance Pen Tests: focus on ePHI Protection, testing limitations and legal requirements for HIPAA Laws "checklist"
4. Objectives: Types of attacks
Information gathering on the target's staff and network, scheduled network probes and check known vulnerabilities of existing security equipment and controls
5. Start the Pen Test: the exploit
We use a variety of information gathering and vulnerability exploit tools, ofter the same tools the Hackers who will attack you use so we can duplicate and then close their avenues of attack.
- Scanning Tools: Nikto, W3AF, OpenVAS, Nessus and SQLmap
- Web and Network Tools: Meta-sploit, Burp-Suite, the Social Engineering Toolkit, OWASP-zap and NMAP
- Wireless Scanners: Aircrack-NG, Kismet, Wifite and Fern
- Credential Testing Tools: Medusa, hydra, patator, MimiKatz, John the Ripper and Hashcat
- Breach Notification: HIPAA requires public notice if over 500 records- GDPR even stronger
- Web Directory enumeration/fuzzing Tools: Dirbuster, Dirb, Gobuster
- Open Source data gathering: Nslookup, WHOIS, FOCA, TheHarvester, Recon-NG, Maltego and the Shodan.io website
- Application exploits: XSS, CSRF, Clickjacking and file inclusions
6. Reporting Phase: prepare findings and present our reports
Structured Reports that follow industry standards and make our findings understandable to CEO's as well as your Technical Staff.
- Report includes: Who performed the tests, what type of tests were performed and the sensitivity of this report
- Executive Summary: Higher level details that summarize the report for C-Level and non-technical management
- Remediation Summary: overview of the "fixes" we recommend and the priority to assign them as HIGH-MEDIUM-LOW
- Attack Methodology: What tools were used, step-by-step docmentaion of our exploits, what inforamtion was gathered
- Conclusions/Remediation: how long this report is valid and what changes to your network or staff could invalidate our findings
7. Corrective Action: recommendations and repairs
Reports that include what needs to be done to improve network
and physical security and the order of importance of these vulnerabilities.
*Note: We make recommendations so that either your staff or ours can correct
these issues. We leave the option on who will perform the repairs to you.
Examples include: secure coding practices, firewalls, password enforcement and complexity,
company information obfuscation and media disposal