In simple terms, a Penetration Test (PenTest) is an authorized simulated attack against your computer systems with an intent to identify exploitable vulnerabilities. Left unidentified, these weaknesses expose your network to potentially be breached by malicious attackers who have nefarious intentions to disrupt your operations or seek to inflict financial fraud against your business, your partners, or your investors.
PenTests involve both automated and manual activities. Sadly, many organizations will advertise PenTest services using strictly automated mechanisms. These are not PenTests but instead just Vulnerability Assessments. A true PenTest exercise is conducted by a skilled professional utilizing manual techniques required to exploit system flaws that lead to gaining system access, maintaining and spreading their access through lateral movement to other systems, stealing credentials, and/or exfiltrating data all while not being detected by monitoring tools, processes, and people.
Penetration Test Phases
Most reputable PenTest organizations will model their PenTest process from common assessment standards. Whereas they may have different labels, a PenTest process will be one which us performed following a multistage approach which involves Planning, Scanning, Obtain Access, Maintain Access, and Covering Tracks.
Planning – Scope and goals of the engagement are defined. This is where a Rules of Engagement is approved by the business leaders of the target organization.
Scanning – Once authorization is provided, the assessment team will fingerprint the target system to identify open ports and services. With this information, attack strategies most likely to lead to access are determined.
Obtaining Access – Using an exploit either publicly available or custom developed for the target system, the assessment team will attempt to gain a foothold on a target system. Sadly, many times some PenTest organizations will stop at this stage and declare victory. However, doing so does not tell a full picture of what else an attacker would similarly be able to accomplish.
Maintaining Access – More sophisticated PenTest firms will perform extra steps following their initial success of gaining access. They will try to elevate privileges, steal credentials for other accounts, and even potentially exfiltrate data.
Covering Tracks – Most activities performed against a computer system end up in an audit log somewhere. During a PenTest, the assessment team may take further actions to cover their tracks by deleting log entries to hide what they accomplished.
Why Have BW Cyber Conduct Your PenTest
Let’s be honest: You are already under attack by outside entities. If you have gaping holes in your outer defenses (i.e., Internet-facing systems), you would very likely already know about it. For this reason, BW Cyber’s PenTest process is designed to not just evaluate open ports of your firewall, but also be executed through a scenario where internal access by an attacker is already assumed (i.e., via malware/backdoors loaded on a user’s PC, unapproved device plugged into a network, etc.). BW Cyber’s assessment team will perform a full Whitebox assessment of your environment to identify all system flaws (e.g., missing patches, misconfigured security settings, etc.) which could lead to further compromise of internal assets and ultimately your crown jewels: files containing Personally Identifiable Information (PII). The end result of a PenTest with BW Cyber is you will be armed with a punch list of actions to apply which is prioritized by impact and severity for which the weakness imposes.
With this in mind, contact us today to discuss your PenTest goals.