Security Penetration Testing Checklist
Written By: Mark Repka - Principle Security Consultant, MegaplanIT.
Security testing of an environment can be a time-consuming and expensive process that requires adequate knowledge of the tools, attack vectors, and methodologies bad actors may use to infiltrate or otherwise circumvent security controls. Security testing may be broken down into different layers within the infrastructure as well; Application, Network, and System testing may be employed to determine the full breadth of vulnerabilities facing your organization.
Application Layer Security Testing
Entities developing software, including those that interface with an API or other protocol, may wish to perform testing against common web attacks per OWASP top 10. Applications may be tested statically or dynamically using tools or manual methods. This may be supplemented with the implementation of a Web Application Firewall which monitors traffic to and from the applications to monitor if appropriate data streams, queries, and commands are sent to the application for processing.
Static Code Testing
The main difference between static and dynamic testing is that an application or program is not compiled for static testing as the source code may be scanned manually or automatically using tools like SonarQube or PVS-Studio. Note that these tools may not be for your application or language, with the multitude of languages used on today’s internet, you should pick one appropriate for your application’s use. Static code analysis observes the calls the application makes by considering the individual declarations and statements made and tracing them back to the source material as appropriate.
Dynamic Code Testing
Dynamic code testing is an application or program which has been compiled and is now being tested for any issues or bugs within the application with the libraries, inputs, or other interactions which may destabilize the application. A faulty application may not handle errors correctly, crash into stored data, or otherwise expose inappropriate data to the end-user. Note that this testing is not speaking of version management, but the quality of written content, its accessibility via queries, and vulnerabilities presented in the application as it is presented to the world. Some useful tools for dynamic code testing are Rational Software’s AppScan or Acunetix: Web Vulnerability Scanner.
Network Layer Security Testing
Network layer testing will involve the pathways that information takes into your infrastructure. Hosted FTP servers, e-mail relays, application servers, and databases all communicate data between themselves and occasionally the internet. The issue is, how are you to delineate what is appropriate and inappropriate for running your systems? That is an issue for another blog post, however, it should be known that secure transmissions between nodes in your environment should be tested. Network layer testing tools include applications like NetCat, WireShark, and Responder. Additional network security layers may be leveraged, such as an Intrusion Detection/Prevention System wherein malicious traffic is flagged and blocked as dictated by the rulesets of the solution or adaptive learning.
External Network Layer Testing
Security testing at a minimum should be the review of firewall rulesets externally to determine if network traffic is appropriate for your environments, both inbound and outbound connections. Using unknown ports, protocols, or services may lead to unintended exfiltration of data from your networks. Do you wish for your networks to communicate over HTTPS:// (port 443)? Or do you need to have clients or stakeholders upload documents over SFTP (port 22)? Definitions of these ports in use should be reviewed periodically per your business model to reduce available ports to that which is necessary. External network-layer testing may be performed through an automated vendor ASV which scans certificates and network connections to public-facing websites to determine if any network vulnerabilities exist and typically how to remediate these faults.
Internal Network Layer Testing
Internal network-layer testing is testing the interconnections of internal servers. Typically we would look at interconnections between internal resources such as active directory, databases, and other security backend processing servers and how they would interface with that which is public-facing. Are authorization and access control protocols traveling across the network in plain text? Is encrypted data remaining encrypted until the endpoint where it is used? Are different subnets adequately separated to ensure that traffic is not intercepted on its way to the intended destination? Detection of rogue nodes or devices on your network may also be tested internally to ensure that all devices recognized on the network are as appropriate and per the design of the system architect and known network configurations.
System Security Testing
System testing is performed on the operating system and application-level of a production environment. Typically, automated tools are used to scan applications, libraries, and operating systems to determine version and configuration. From there, it compares the result to what a typical hardened system should be and produces a report which informs the user of potential vulnerabilities. These vulnerabilities may stem from misconfigured operating system configurations against industry best practices such as storing passwords with reversible encryption or allowing low encryption level RDP. Additional information regarding system hardening may be found at the Center for Internet Security or Cisofy. Internal vulnerability scanning tools may also be used to determine if insecure versions of operating libraries such as Java or jQuery are used and if applications such as Microsoft Word or Chrome are outdated. Common internal vulnerability scanners include but are not limited to OpenVAS, Qualys, or Tennable.io.
Credentialed Vs. Non-Credentialed Scan
System testing can be broken down into two subcategories: Credentialed vs. Un-Credentialed Scans, both have their merits and applications to what your organization is trying to accomplish. Generally, an (Administrator) credentialed scan from one of the above tools will expose more information to the scanner which in turn will reveal additional issues with the operating systems and applications leveraged. This information will typically be overwhelming, however, it will be more complete than that of a non-credentialed scan. Non-credentialed (General User) scans will not allow administrative privileges of the scanning engine preventing the device to ascertain certain versions of running applications and processes. Non-Credentialed scans would be indicative of a malicious non-administrative person attempting network and system discovery as part of a larger attack. Non-Credentialed scans may also provide a shorter guide as to what issues to fix immediately with the production environment as these are the most commonly exposed and/or exploited.
Security Penetration Testing
Penetration is performed by business professionals using an array of tools and active methods to discover and exploit vulnerabilities within a system. This type of testing may be performed by multiple individuals and across multiple tiers of the environment: Network, Application, and System. For additional information on penetration testing refer to our security testing page. Typically, penetration testing is more costly and invasive than an automated scan service, however, the value and results will be much greater in returning system vulnerabilities. Ttal saved from compliance breaches, emergency patching or data breaches will be substantial if not found through periodic testing.
Security testing may not only be limited to technological faults, but can expand within your organization’s risk management program to include people, processes, and their roles in daily business as usual or specialized tasks such as access control management. As with all good information security governance models and cyber security adaptations security in layers is considered as not having a single point of failure. Security testing should be performed by qualified individuals that know both the tools they are using and the system to which they are applying those tools. Don’t forget that third-party vendors and consultants are always available to assist your organization in achieving its goals for security testing. Here at MegaplanIT, we have a fully managed SOC, Penetration Testing, and Compliance Services all with insights on how to effectively and efficiently perform security testing on your environment.
Looking For A Security Service Providor? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Setup a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Subscribe To Our Newsletter
Post By Topic
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Request A Call Back
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business