Penetration Test

Penetration tests focus on infrastructures and systems with an idea of outside and inside.

  • Outside: out of the domain (other domain or the internet).

  • Inside: in the domain.

Tests the capability of entering a domain and its impact.

  • How an attacker entered (which flaws or bugs were used).

  • How/if an attacker moved laterally.

  • What other systems it may have reached?

  • What data/systems were impacted?

  • Was data exfiltrated?

Why

An essential process in current organizations, products, and systems.

  • Two distinct views: Internal and External.

The current organizational landscape is complex.

  • Heterogeneous computing environment.

    • Servers, desktops, laptops, BYOD…

  • Multiple applications.

    • From multiple vendors.

    • Developed over time, using different tools, languages, and stacks.

  • Rely on communication networks.

    • Not all are confined (e.g. Wi-Fi).

  • Rely on external services and actors.

Important to understand what are the risks, what to address, and what processes should be in place.

Standard defensive measures are not enough.

  • They help create/operate the software with greater security.

  • They are also limited to the mindset of the developers/ops.

Defensive technologies are limited in capabilities.

  • Firewall: Filter packets, and connections.

    • mostly used as perimeter control devices (but do not supervise internal networks).

    • inspect packets in clear, or publicly available data (ports, IP Addresses, protocols), but struggles with TLS.

  • WAF: Filter HTTP requests.

    • matches profiles of known attacks (deny list), or allowed requests (allow list), but may be circumvented.

  • IDS: Network/Host Intrusion Detection Systems monitor network or OS changes.

    • Matches profiles of known attacks, but may be circumvented.

    • May detect and block an attack AFTER it was done.

Last updated