Penetration Test

Penetration tests focus on infrastructures and systems with an idea of outside and inside.

• Outside: out of the domain (other domain or the internet).

• Inside: in the domain.

Tests the capability of entering a domain and its impact.

• How an attacker entered (which flaws or bugs were used).

• How/if an attacker moved laterally.

• What other systems it may have reached?

• What data/systems were impacted?

• Was data exfiltrated?

Why

An essential process in current organizations, products, and systems.

• Two distinct views: Internal and External.

The current organizational landscape is complex.

• Heterogeneous computing environment.

  • Servers, desktops, laptops, BYOD…

• Multiple applications.

  • From multiple vendors.

  • Developed over time, using different tools, languages, and stacks.

• Rely on communication networks.

  • Not all are confined (e.g. Wi-Fi).

• Rely on external services and actors.

Important to understand what are the risks, what to address, and what processes should be in place.

Standard defensive measures are not enough.

• They help create/operate the software with greater security.

• They are also limited to the mindset of the developers/ops.

Defensive technologies are limited in capabilities.

• Firewall: Filter packets, and connections.

  • mostly used as perimeter control devices (but do not supervise internal networks).

  • inspect packets in clear, or publicly available data (ports, IP Addresses, protocols), but struggles with TLS.

• WAF: Filter HTTP requests.

  • matches profiles of known attacks (deny list), or allowed requests (allow list), but may be circumvented.

• IDS: Network/Host Intrusion Detection Systems monitor network or OS changes.

  • Matches profiles of known attacks, but may be circumvented.

  • May detect and block an attack AFTER it was done.