Penetration Testing
What is Penetration Testing?
At Clarity Consulting, we use a strict definition of penetration testing. This parallels the definition set forth by the Federal Financial Institutions Examination Council (FFIEC) in their Information Technology Examination Handbook, which defines the term as follows:
“A penetration test subjects a system to real-world attacks selected and conducted by the testers. A penetration test targets systems and users to identify weaknesses in business processes and technical controls. The test mimics a threat source’s search for and exploitation of vulnerabilities to demonstrate a potential for loss."
-Source: FFIEC Information Security IT Examination Handbook September 2016, page 55.
Given this, our penetration testing mythology is centered around defined scope, clear goals, and success/failure conditions. This framework scales from the smallest engagements targeting individual systems or applications, up to the largest Red Team-style (combined electronic and physical penetration test) scenarios.
However, penetration testing by its inherent nature is not the optimum way to discover vulnerabilities, but rather is a good way to measure a targeted network or system's response to attack. If your needs involve the discovery, enumeration, and assessment of cyber security risk vulnerabilities, then consider our Vulnerability Assessment service instead.
Designing a Pen Test Scenario
When working with a customer on a penetration test, one or more pen test "scenarios" are designed, approved, then executed. Each scenario is an end-to-end test that carries a defined goal, a set of parameters, and a procedure to cover any event that may occur as a result of executing that scenario. Our reasons for putting so much effort in to the scenario design stage are threefold.
• First, the value of a penetration test is in its ability to help measure a system's
response to real world attack inputs. Defining those techniques up front is critical
to delivering that value.
• Second, any test should be repeatable. By defining and documenting the test, this
makes follow-up tests much more consistent and the results directly related.
• Third, because penetration testing uses real attacks on real production systems,
having a plan for success and failure conditions is critical to the safety and well-being
of systems, data and support personnel alike.
To best simulate any real-world attack, any number of different pen-test scenarios can be designed and chained together to be executed as one coordinated attack. For example, a Denial- of-Service (DoS) attack can be coupled with physical intrusion to measure the ability of personnel to respond to physical threats while verification systems may simultaneously be unavailable. Another example is to execute a social engineering attack as a component of a direct physical system intrusion attack, where information gathered by one activity is used to make the other more effective. The possibilities are endless, and can be custom-crafted by our team to meet your organization's exacting needs.
Contact Clarity Consulting today to discuss your organization's needs, and to start outlining your penetration testing scenarios. To get you started, here is a sample list of scenarios for your planning:
• Social Engineering Exercise
• Enterprise Authentication Systems Attack/Takeover (Microsoft Active Directory)
• Denial-of-Service Attacks
• Physical Intrusions
• Data Exfiltration
• Data Loss Prevention Bypass
• Vulnerability Exploitation and System Compromise