Penetration Testing (PT) is the process of evaluating the current security state of a system or network to find vulnerabilities that an attacker could exploit to gain unauthorized access to systems and information
This process involves identification of security weaknesses that may result due to the improper security configuration of systems or applications and known or unknown vulnerabilities in hardware or software systems.Get in touch now
Cloud4C - Methodology of Penetration Testing
The objectives of the Basic Penetration Testing service are:
- Validate the configurations of Information Technology (IT) Assets and produce a list of known vulnerabilities present in the systems and applications and mitigate them before they are exploited by adversaries.
- Simulate a real hacking event to test the strength of existing security defences and countermeasures.
Scope of Service
The scope of Basic Penetration Testing is in scope IT assets or the organization. The IT Assets include firewalls, routers, VPN, IDS/IPS, Web servers, Application servers, Database servers, etc. Penetration Testing provides an insight into the organisation’s current state of security, discovers possible ways to penetrate and tests the effectiveness of the security countermeasures. We perform our Penetration Testing in two formats:
- External Basic Penetration Testing: Performed remotely with no internal access provided to our security experts. The goal is to identify and classify the weaknesses and penetrate the internet-facing IT assets of an organization such as Web Servers, Network Gateways, VPN, E-mail Servers, and Firewalls.
- Internal Basic Penetration Testing: Performed from within the premises of the target organization, usually to identify & classify threats and vulnerabilities in the internal network presented by someone who already has access to the organization’s network such as an employee, contractor, or guest. It also helps an organization to determine its compliance on global or local policies, standards and procedures in terms of information security, data protection and segmentation of network.
Rather than simply listing all individual vulnerabilities in every IT asset, our approach is to find the systematic issues in the organization that led to these issues. We often use a sampling methodology in our approach to focus on the root causes and prioritize the most important remediation steps. While performing Basic Penetration Testing, our tests are compliant to the safe checks designed to limit any negative impact on the organization’s production environment.
Process of Basic Penetration Testing:
In delivering the Basic Penetration Testing service, Cloud4C will use a combination of automated and manual scanning methods and will utilize commercial and publicly available tools, as well as custom scripts and applications that were developed by Cloud4C. Penetration testing process involves following steps:
Reconnaissance: Gathering preliminary data or intelligence on the target organization. The data is gathered to plan better for the attack. Information gathered in this step includes IP address ranges, public email addresses, web sites and others.
- Scanning & Enumeration: Gathering more information about the connected systems, running applications and the services in the organization’s network. Information such as operating system type and version, user accounts, email addresses, service version and release numbers are also gathered.
- Identify vulnerabilities: Based on information gathered in the previous two phases, we will identify weak services running in your network or applications that have known vulnerabilities.
- Exploitation Using readily available code or create a customized one to take advantage of identified vulnerabilities to gain access to the target vulnerable system.
- Privilege escalation: In some cases, the existing vulnerability provides low level access only such as normal user access with limited privileges. In this step, we will attempt to gain full administrative access on the machine.
To ensure successful and smooth execution of Penetration Testing service, certain information and preparation need to be in place:
- External Penetration Testing:
IP addresses of internet facing IT assets to be included in the scope of Penetration Testing.
- Internal Penetration Testing:
We need a Virtual Machine (VM) to install our security toolkit to perform the Penetration Testing. The VM should have the following:
- Hardware requirements:
8 GB RAM, 250 GB Hard Drive space, 4 core processor.
Local administrator privileges on the VM.
- Network access:
The VM should be placed in the internal network and assigned an internal IP address. In addition, the VM should be accessible from the internet by Cloud4C team through VPN or a remote desktop to facilitate remote management and execution of service.
An image will be provided to the customer, which needs to be deployed on this VM. As soon as the image is deployed, it will ask for a personalization code that will also be provided to the customer by Cloud4C team. In addition, The VM needs to support nested virtualization for us to deploy our other virtual machines images on virtual box application.
Deliverables of Pentesting:
Upon completion of the Basic Penetration Testing, a detailed report will be sent to client, including the following:
- Executive Summary:
Summary of the purpose of this assessment, as well as brief explanation of the threats that the organization is exposed to from a business perspective.
A detailed, technical explanation of the findings of the assessment along with steps and proofs of the findings.
- Conclusion & Recommendations:
This section provides final recommendations and summary of the issues found during the security assessment.
Service delivery time
The Basic Penetration Testing service on 10 IT Assets can be completed in five business days.