Security Penetration Testing Checklist

Overview

Security testing of an environment can be a time-consuming and expensive process that requires adequate knowledge of the tools, attack vectors, and methodologies bad actors may use to infiltrate or otherwise circumvent security controls. Security testing may be broken down into different layers within the infrastructure as well; Application, Network, and System testing may be employed to determine the full breadth of vulnerabilities facing your organization.

Application Layer Security Testing

Entities developing software, including those that interface with an API or other protocol, may wish to perform testing against common web attacks per OWASP top 10. Applications may be tested statically or dynamically using tools or manual methods. This may be supplemented with the implementation of a Web Application Firewall which monitors traffic to and from the applications to monitor if appropriate data streams, queries, and commands are sent to the application for processing.

Static Code Testing

The main difference between static and dynamic testing is that an application or program is not compiled for static testing as the source code may be scanned manually or automatically using tools like SonarQube or PVS-Studio. Note that these tools may not be for your application or language, with the multitude of languages used on today’s internet, you should pick one appropriate for your application’s use. Static code analysis observes the calls the application makes by considering the individual declarations and statements made and tracing them back to the source material as appropriate.

Dynamic Code Testing

Dynamic code testing is an application or program which has been compiled and is now being tested for any issues or bugs within the application with the libraries, inputs, or other interactions which may destabilize the application. A faulty application may not handle errors correctly, crash into stored data, or otherwise expose inappropriate data to the end-user. Note that this testing is not speaking of version management, but the quality of written content, its accessibility via queries, and vulnerabilities presented in the application as it is presented to the world. Some useful tools for dynamic code testing are Rational Software’s AppScan or Acunetix: Web Vulnerability Scanner.

Network Layer Security Testing

Network layer testing will involve the pathways that information takes into your infrastructure. Hosted FTP servers, e-mail relays, application servers, and databases all communicate data between themselves and occasionally the internet. The issue is, how are you to delineate what is appropriate and inappropriate for running your systems? That is an issue for another blog post, however, it should be known that secure transmissions between nodes in your environment should be tested. Network layer testing tools include applications like NetCat, WireShark, and Responder. Additional network security layers may be leveraged, such as an Intrusion Detection/Prevention System wherein malicious traffic is flagged and blocked as dictated by the rulesets of the solution or adaptive learning.

External Network Layer Testing

Security testing at a minimum should be the review of firewall rulesets externally to determine if network traffic is appropriate for your environments, both inbound and outbound connections. Using unknown ports, protocols, or services may lead to unintended exfiltration of data from your networks. Do you wish for your networks to communicate over HTTPS:// (port 443)? Or do you need to have clients or stakeholders upload documents over SFTP (port 22)? Definitions of these ports in use should be reviewed periodically per your business model to reduce available ports to that which is necessary. External network-layer testing may be performed through an automated vendor ASV which scans certificates and network connections to public-facing websites to determine if any network vulnerabilities exist and typically how to remediate these faults.

Internal Network Layer Testing

Internal network-layer testing is testing the interconnections of internal servers. Typically we would look at interconnections between internal resources such as active directory, databases, and other security backend processing servers and how they would interface with that which is public-facing. Are authorization and access control protocols traveling across the network in plain text? Is encrypted data remaining encrypted until the endpoint where it is used? Are different subnets adequately separated to ensure that traffic is not intercepted on its way to the intended destination? Detection of rogue nodes or devices on your network may also be tested internally to ensure that all devices recognized on the network are as appropriate and per the design of the system architect and known network configurations.

System Security Testing

System testing is performed on the operating system and application-level of a production environment. Typically, automated tools are used to scan applications, libraries, and operating systems to determine version and configuration. From there, it compares the result to what a typical hardened system should be and produces a report which informs the user of potential vulnerabilities. These vulnerabilities may stem from misconfigured operating system configurations against industry best practices such as storing passwords with reversible encryption or allowing low encryption level RDP. Additional information regarding system hardening may be found at the Center for Internet Security or Cisofy. Internal vulnerability scanning tools may also be used to determine if insecure versions of operating libraries such as Java or jQuery are used and if applications such as Microsoft Word or Chrome are outdated. Common internal vulnerability scanners include but are not limited to OpenVAS, Qualys, or Tennable.io.

Credentialed Vs. Non-Credentialed Scan

System testing can be broken down into two subcategories: Credentialed vs. Un-Credentialed Scans, both have their merits and applications to what your organization is trying to accomplish. Generally, an (Administrator) credentialed scan from one of the above tools will expose more information to the scanner which in turn will reveal additional issues with the operating systems and applications leveraged. This information will typically be overwhelming, however, it will be more complete than that of a non-credentialed scan. Non-credentialed (General User) scans will not allow administrative privileges of the scanning engine preventing the device to ascertain certain versions of running applications and processes. Non-Credentialed scans would be indicative of a malicious non-administrative person attempting network and system discovery as part of a larger attack. Non-Credentialed scans may also provide a shorter guide as to what issues to fix immediately with the production environment as these are the most commonly exposed and/or exploited.

Security Penetration Testing

Penetration is performed by business professionals using an array of tools and active methods to discover and exploit vulnerabilities within a system. This type of testing may be performed by multiple individuals and across multiple tiers of the environment: Network, Application, and System. For additional information on penetration testing refer to our security testing page. Typically, penetration testing is more costly and invasive than an automated scan service, however, the value and results will be much greater in returning system vulnerabilities. Ttal saved from compliance breaches,  emergency patching or data breaches will be substantial if not found through periodic testing.

Conclusion

Security testing may not only be limited to technological faults, but can expand within your organization’s risk management program to include people, processes,  and their roles in daily business as usual or specialized tasks such as access control management. As with all good information security governance models and cyber security adaptations security in layers is considered as not having a single point of failure. Security testing should be performed by qualified individuals that know both the tools they are using and the system to which they are applying those tools. Don’t forget that third-party vendors and consultants are always available to assist your organization in achieving its goals for security testing. Here at MegaplanIT, we have a fully managed SOC, Penetration Testing, and Compliance Services all with insights on how to effectively and efficiently perform security testing on your environment.