First, the market has done a poor job of defining what a Penetration Test is as compared to a vulnerability scan, vulnerability assessment, an application scan, application testing and a few other names that show up in the marketplace. As such, SAVANTURE is very specific as to what each is and what we deliver. At a high-level, the following definitions are generally accepted by most security experts:
- Vulnerability Scan: A vulnerability scan looks for known vulnerabilities in a system and reports potential exposures typically with a generalized score relative to other identified vulnerabilities in your environment. These scans are typically performed with an automated set of tools and don’t include any human testing.
- Vulnerability Test:A vulnerability test introduces the human into the analysis chain. Beyond simply categorizing the vulnerabilities, test validation and identifies in the system architecture, computing/network environment or at an application level. Most commonly identifying misconfigurations, identifying exploits due to a variety of issues such as ruminants of default settings, use of older code or application versions, poor coding, or simply lack of focus in protecting an exposed application. There is some overlap with vulnerability scanning as often a tool used by the Pen Tester is a vulnerability scan. A penetration test requires various levels of tester expertise. A penetration test attempts to identify the same techniques which hackers perform during an attempt to compromise your network.
- Penetration Test: A penetration test exploits weaknesses in the system architecture, computing/network environment or at an application level. Most commonly identifying misconfigurations, identifying exploits due to a variety of issues such as ruminants of default settings, use of older code or application versions, poor coding, or simply lack of focus in protecting an exposed application. There is some overlap with vulnerability scanning as often a tool used by the Pen Tester is a vulnerability scan. A penetration test requires various levels of tester expertise. A penetration test attempts to identify the same techniques which hackers perform during an attempt to compromise your network.
- Application Test: An application test requires is very specialized and is an attempt to compromise a specific application at a deep level. This may use some specialized tools, but most of the testing is performed manually leveraging information from a Penetration Test. In most cases, the test is performed initially using the production system for softer testing (ones that won’t take the system down) and then in a controlled lab environment where there are no rules for the test and include Denial of Service (DOS) and other test that may take the system down. It is certainly best for you to understand if their are weaknesses that would allow someone to influence not only the integrity, but the availability of your application in a controlled environment than when its unexpected.
Our proposed approach to delivering security testing services always begins with a planning and initiation phase where SAVANTURE will confirm the detailed approach, review of the scope, and schedule for the work to be carried out. The output of this meeting is a detailed work program that confirms the scope of testing together with written details concerning:
- the objectives of the test
- the detailed components to be reviewed, e.g. Internet firewalls, routers, switches, web servers, application servers, database servers, e-mail servers, gateways and the Customer’s security management systems.
- IP addresses to be included in the engagement
- timescales for testing activities
- site access requirements
- server access requirements
- tools/scanners to be used
Internal and/or External Network Penetration Testing
The exact scope of a penetration test is agreed during the planning and initiation phase but in general the aims of each penetration test will be to assess the security of the Internal or External infrastructure and to provide assurance over the security configuration of the in-scope systems. In some cases, the penetration phase will provide access to previously inaccessible hosts or networks, and in these cases, the test team will move on to test the newly-visible infrastructure, beginning again with the network mapping phase. In this sense, the sequence of test execution can become recursive. At all times, the test team will take care to avoid infrastructure that is out of scope, and will not exploit vulnerabilities that may have adverse effects on live services without prior consultation with the designated technical contact.
SAVANTURE will also review with the evidential requirements, the format of the reports to be produced and an escalation procedure for directly reporting any significant findings arising from the test. During the initiation and planning phase SAVANTURE will require you to provide us with permission for our consultants to proceed with testing which in some cases will mean authorizing our attempts to access the Customer’s computer systems. Once SAVANTURE has received the letter of authorization, our team of specialists will prepare the appropriate scripts, software programs and other tools needed to support our SAVANTURE’s Penetration Testing Methodology.
We support a wide range of cloud testing including Amazon Web Services (AWS).
SAVANTURE will provide the following deliverables to the Customer.
- Weekly status updates
- Preliminary report
- Final report
Weekly Status Report
At the Customer’s request, SAVANTURE will provide weekly status updates to the Customer. In the weekly status updates, SAVANTURE and the Customer will discuss outstanding project issues and paths going forward. The weekly status updates will also be the forum for SAVANTURE to communicate any major findings and recommendations to assist the customer in addressing the finding. However, if SAVANTURE were to identify any High Risk findings they would be communicated to the Customer Point of Contact immediately.
Upon completion of testing, SAVANTURE will convert the latest status report into a preliminary report. This deliverable is intended for a technical audience so that the remediation of vulnerabilities can begin immediately, if necessary.
Each finding is described in the table with the corresponding mitigation/remediation recommendation. Each finding is given an associated risk level and a status indicator of Open or Closed. Any re-testing during the course of the project will be reflected in the final report.
Approximately two weeks after the conclusion of testing, SAVANTURE will present all identified findings to the Customer in a final report.
Once SAVANTURE has issued the final report to the Customer, Customer has 10 business days to review and request any changes to the Final Report. Any requested changes will be discussed. Upon agreement, the final report will be updated and re-issued. If no changes are requested during this timeframe, the report shall be considered final and the project complete. Each vulnerability or risk identified will be categorized as high, medium, or low, as follows:
- High Risk: These findings identify conditions that could directly result in the compromise or unauthorized access of a network, system, application, or information. Examples of High Risks include known buffer overflows; weak/no passwords, weak/no encryption, these, as well as others could potentially result in denial of service on critical systems or services; unauthorized access; and disclosure of information. In addition, all non-compliant policy findings will be categorized as High Risk.
- Medium Risk: These findings identify conditions that do not immediately or directly result in the compromise or unauthorized access of a network, system, application, or information, but do provide a capability or information that could, in combination with other capabilities or information, result in the compromise or unauthorized access of a network, system, application, or information. Examples of Medium Risks include unprotected systems, files, and services that could result in denial of service on non-critical services or systems; and exposure of configuration information and knowledge of services or systems to further exploit.
- Low Risk: These findings identify conditions that do not immediately or directly result in the compromise of a network, system, application, or information, but do provide information that could be used in combination with other information to gain insight into how to compromise or gain unauthorized access to a network, system, application, or information. Low risk findings may also demonstrate an incomplete approach to or application of security measures within the environment. Examples of Low Risks include cookies not marked secure; permitted IP hopping; concurrent sessions; revealing system banners; and traversing to neighboring systems.
- Notes: In addition to Findings, our reports also may contain Notes. Notes can include testing notes, discussions of security best practices, and other supplemental information that may not necessarily be related to the security posture of the systems tested.
SAVANTURE’s final report will describe the identified findings (prioritized as High, Medium, or Low), along with recommendations for the remediation of the Customer’s environment. The report will be divided into six major sections including:
- Executive summary:A high-level description of the activities performed by SAVANTURE and a summary of the pertinent findings following the information protection task.
- Introduction:Contains the task objectives and a description of the steps performed by SAVANTURE.
- Methodologies:A description of the processes and procedures used by SAVANTURE to perform this task. The section contains a description of tools and techniques used by the assessment team to analyze the environment.
- Vulnerability assessment findings:A comprehensive list of findings associated with the Ethical Hacking efforts against the Customer environment, including a detailed discussion that explains each vulnerability discovered SAVANTURE and a set of recommendations to address each finding.
- Conclusions:A high-level set of recommendations based upon the systemic problems found during the Ethical Hacking assessment.
- Appendices:SAVANTURE will provide additional information, if required, in the appendices.
If any of these assumptions are proven to be false during initiation and project definition phases of this engagement, additional scope and costs may be required in order to successfully complete this engagement as defined within.
CONTACT US now to get a free consultation.