External and Internal Penetration Testing

External and Internal Penetration Testing

Lets start by defining Penetration Testing. A penetration test, or a pentest, is a simulation of a hacker attack on a network, system, application or website. It is used to discover existing vulnerabilities and weaknesses before hackers find and exploit them.

The pentesting helps you validate, improve and ensure efficiency and effectiveness of your information security systems.

Pentests discover vulnerabilities, and in some cases even include personalized instructions on how to fix discovered vulnerabilities and weaknesses in their reports.

Penetration Testing Standards

here are some of the main standards of penetration testing:

• LPT - Licensed Penetration Tester methodology from EC-Council
• OSTTMM - Open Source Security Testing Methodology Manual
• OWASP - Open Web Application Security Project
• ISSAF - Information Systems Security Assessment Framework
• WASC-TC - Web Application Security Consortium Threat Classification
• PTF - Penetration Testing Framework
• OISSG - Information Systems Security Assessment Framework
• NIST SP800-115  -Technical Guide to Information Security Testing and Assessment

In some cases penetration testing include risk assessment methodology, that can be compatible with the variety of modern compliance standards and various federal regulations, such as:

• PCI DSS (Payment Card Industry Data Security Standard)
• ISO-IEC 27001 (Information Security Management Systems)
• HIPAA (Health Insurance Portability and Accountability Act)
• SOX (Sarbanes-Oxley Act)
• GLBA (Gramm–Leach–Bliley Act)
• FISMA (Federal Information Security Management Act)

Penetration Testing Methodologies

A penetration test can be performed by one of these three methodologies:

• Black Box Penetration Test

During the Black Box pentest client does not give any internal technical or network information to the auditors. Therefore, the Black Box approach requires auditors to spend some time on network exploration and reconnaissance in order to craft efficient attack plan. This approach simulates the most realistic attack scenario, and is perfectly suited for companies who want to know what a group of external hackers may do within a limited period of time.
 

• Gray Box Penetration Test

Differently from the Black Box, the Grey Box approach usually does not require auditors to spend a lot of time on network exploration. Internal information, such as technical documentation or credentials of privileged users, may be given to the auditors in order to simulate more sophisticated attack when hackers have already obtained some sensitive information. For the Grey Box pentest the client may also specify which attack methodologies on which systems he wants or he doesn't want to use. Grey Box is the most frequent approach that provides comprehensive security testing within a relatively short period of time compared to White Box.
 

• White Box Penetration Test

White Box pentest is the most "collaborative" approach, when client provides auditors with all information about his network architecture, user credentials and even source codes in some cases. White Box is rather an audit than a penetration test. It is the most comprehensive and complete approach to security testing, however it requires a lot of time as well. White Box is advised to companies who want to make sure that every single line of code in their defense perimeter will be scrupulously verified.
 

There are two main types of penetration tests:

External Penetration Test

• Testing of frontal servers applications
• Testing of websites and web applications
• Firewall-IDS-IPS bypass testing
• Testing of VOIP infrastructure

Internal Penetration Test

• Malicious employee activity simulation
• Privilege escalation attack simulation
• Security testing of wireless networks
• Social Engineering attack simulation
• Phishing attack simulation