Identify and prioritize risks, based on likelihood of exploitation
Not all vulnerabilities are created equal. Penetration testing helps to add perspective on the impact of a vulnerability: how can a vulnerability be exploited, and if exploitation occurs, what is the impact on my organization and most critical assets?
UL’s penetration testing attempts to exploit vulnerabilities in a systematic and controlled manner. This effort will demonstrate how an attacker may gain access to valuable resources and assets, and expose IT infrastructure security’s weakest links.
The starting point for the penetration testing is a kickoff meeting to scope the work. Proper scoping is the most important component during the planning and preparation step, in addition to setting up the right levels of access control, and ensuring that systems are ready for testing, e.g. data backup etc.
Agreement on timing and duration of penetration testing is essential, as are agreements on the focus points for test activities and the way to proceed for testers in case they succeed in a penetration attempt. We will also discuss and agree on any peculiarities for performing testing on live systems etc.
To begin the actual penetration test, UL will use network survey methods and port scanning to gather any useful information. The goal is to identify the systems in scope and confirm they are actually reachable. UL testers will use several tools such as Nmap to collect domain names, server names, internet service provider (ISP) information, host IP-addresses, routing protocols, etc. This information will be used to draw up a network map.
In this step, UL experts will use automated tools such as Nessus or Nexpose to scan the target systems for vulnerabilities and weaknesses. The outcome of this scanning process is a list of systems that potentially contain one or more specified vulnerabilities and weaknesses. Hence, these are the systems that need an in-depth investigation. The selected target systems will be the scope of the next step to perform the penetration testing activities.
During the penetration attempt step, UL experts will try to exploit the vulnerabilities and weaknesses identified in the previous step, using tools such as Metasploit. One approach to penetration testing is ‘black box’, which means that our testers don’t have any knowledge about your network except publicly known information. An example of this is a penetration test for a website, where only the website URL or IP-address is known. This would equate to an external attack carried out by a malicious hacker.
While the focus of UL’s penetration testing efforts is on accessing computer assets, UL testers will try to obtain or subvert confidential documents, pricelists, databases and other protected information, when this is in scope. Of course we will strictly protect the confidentiality of any information we obtain; the information will only be used to prove that we did in fact breach the security of the network.
After penetration testing has finished according to the agreed scope, duration and rules of engagement, UL will draw up a penetration testing report. The report will describe the test target(s) in scope, the test tools and test methods used, the vulnerabilities and weaknesses found in the Vulnerability Detection step, and the penetration attempts performed.
For each successful penetration attempt, UL will list the related vulnerabilities, the attack method, all logs and data related to the attempt and any other information necessary to reproduce the attempt. We will give a brief analysis of the likelihood and impact of each successful exploit, and include recommendations on mitigating the vulnerabilities we found.
To complete the penetration test, UL will clean all systems targeted during the penetration testing, in cooperation with the customer. In case any system was compromised, the cleaning process will be done in a secure way to ensure that normal operations are not affected. This step will include actions such as backup restore, log file removal and removal of user accounts created during the penetration tests.