Boost Your Security Posture With Objective-Based Penetration Testing – IT Governance UK Blog
To maximise value from your security investments, your measures must be effective
How can you be confident your measures are fit for purpose – and prove it to stakeholders like customers, partners and regulators?
Penetration testing (also known as ‘pen testing’ or ‘ethical hacking’) offers a vital tool for identifying gaps and opportunities to strengthen your security programme.
Our head of security testing, James Pickard, explains further.
In this interview
Is your security programme effective?
What are key challenges when implementing a security programme?
Resources and costs are often top of the list.
Many organisations have a tight budget for security, and lack in-house specialist skills – which doesn’t combine well with the fact that security programmes should contain multiple types of defence to be truly effective.
Ideally, the programme features not just defensive measures, but also offensive security services. Speaking as a security tester, I’ve seen many programmes that look great on paper – then turn out not effective when tested through, for example, an objective-based penetration test.
Objective-based penetration tests
What is objective-based penetration testing?
It’s also known as ‘goal-based’ or ‘goal-oriented’ penetration testing.
Goal-based penetration testing isn’t too different from standard penetration testing, where we test a system, or a set of systems, from usually a ‘grey box’ approach [explained later].
However, with objective-based testing, we specifically ask the client about what matters to them. Within a certain application, for example, what are their concerns?
Can you give us an example?
Let’s say we’re looking at a web application. What concerns would the business owner have?
Maybe it’s unauthenticated access to the application – can someone without an account gain access? Or perhaps it’s user separation – can Organisation A and Organisation B see each other’s data? That could be a big data breach.
There are many different types of breach, reflecting different risks. With an objective-based penetration test, the client is, in effect, directing the test to focus on their biggest risks.
This can be more cost-effective than a standard penetration test that tries to test everything. However, be aware that a focused, goal-based penetration test may miss vulnerabilities.
Could you give another example of the type of brief or objective you might receive?
It entirely depends on the client and its priorities.
Let’s say the organisation stores its critical data within a database accessed by a web application. A likely objective would be to gain access to that data. But we can come at it from different scenarios:
- Can an external hacker get into the web application?
- Can a hacker already inside the web application [a malicious insider or an external hacker who gained a foothold] access data outside their privileges? Or can a normal user take over an admin account?
- If someone had access to the network, could they get to the database server directly?
It entirely comes down to the client.
Grey box penetration tests
Earlier, you mentioned “grey box” testing. Could you elaborate?
There are three types of penetration tests:
- Black box
- Grey box
- White box
‘Grey box’ is traditional penetration testing. The client provides the URLs, IP addresses, or the credentials they want us to test from.
So, we’ll have some but not all the information when we do the test.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Black box penetration tests and red team assessments
What is black box testing?
In short, we get no information before we start the test. Our only real instruction is to attack the client.
This could be a red team-style attack, which is a more real-world or holistic test.
How does a red team engagement work, exactly?
We’d start with reconnaissance – scouring the Internet and the dark web for credentials, and footprinting the network to identify anything public-facing.
When I’m footprinting, I’m building a map of what services the client has running – the web server[s] they have, the firewall and VPN they use, and so on. What do they use at the network perimeter?
What about the user aspect – could I conduct a phishing attack and gain credentials that way?
I’d also check whether it’d be easier to gain physical access to the environment. Could I plug in a device with the aim of getting a persistent connection?
After establishing this type of information, we settle on a plan – which often involves launching multi-pronged attacks.
Maybe we’ll have someone conduct a really ‘noisy’ attack – one that we know will fail and create lots of red monitoring logs. But that’s actually a distraction. While that ‘noisy’ attack is going on, another person is doing something nice and quiet.
White box penetration tests
What about white box testing?
With a ‘white box’, we get all the information – everything from the design documents to detailed information about all the supporting infrastructure.
Out of the three types, white box and black box take the longest. With black box testing, we spend a lot of time researching.
With white box, we need to look at the infrastructure, the database holding the information, where it’s hosted, etc. All that takes time!
Manual vs automated penetration testing
What other types of penetration testing should people be aware of?
There’s automated penetration testing, which is booming at the moment.
That relies on a database and a script that identifies vulnerabilities. It finds mostly easy, low-hanging vulnerabilities and can identify changes to your system – it’s pretty much vulnerability scanning, but with a few extra scripts.
How is that different from manual penetration testing?
Manual penetration tests use the expertise of testers to discover vulnerabilities that automated tools often miss, but can lead to a data breach or network compromise.
This is slower and more expensive than automated tests, but offers several key benefits. Skilled testers leverage their experience to offer value over and above automated scans:
- Verification – we validate the scan results.
- Advanced exploitation – we exploit vulnerabilities uncovered as a proof of concept to assess the real-world risk. We also look for attack paths through the network to exploit, and look to combine vulnerabilities to elevate privileges where possible.
- Impact analysis – we evaluate the potential impact on the organisation, and provide more accurate risk ratings, not just taking the standard CVSS scores at face value but, when necessary, upgrading or downgrading risks. This could be based on whether the service is publicly or only internally exposed, and the sensitivity of the data it contains.
- Clear communication – we discuss vulnerabilities with clients, ensuring they understand the implications and consequences. We also write reports aimed at both management and technical teams.
How can organisations optimise resources? When does vulnerability scanning [or automated testing] save money, and when is the extra assurance provided by manual testing necessary?
Clients require penetration tests for reasons like meeting legal and contractual requirements – PCI DSS compliance, for example – or to provide assurances as a supplier. Manual testing delivers the depth and insight to meet these obligations.
But automated tests also have their place: they provide assurance that your security posture remains strong between manual tests, which tend to be conducted annually.
Also, like anything security-related, the ‘better’ solution is risk-dependent. Is the test for just an informational website – a blog, for example? Or is it for a platform that stores sensitive customer information?
The latter is a far bigger risk to your organisation due to the potential high impact, so a manual test would likely be more appropriate. Whereas an automated test may be sufficient for the blog.
In short, both manual and automated tests have their place, and should complement rather than compete with one another.
Which penetration test is right for me?
Penetration testing isn’t limited to web applications and networks. We can test your website, wireless network, remote working solutions, PCI DSS compliance, and even your staff.
Unsure about what penetration test is right for you?
Find out with our simple, interactive guide:
About James Pickard
James is an expert penetration tester – and our head of security testing – with more than a decade in the field.
He’s led and executed penetration tests across diverse industries on a global scale. He specialises in two key areas: infrastructure testing and authorisation bypass techniques.
James excels in leadership and technical expertise. He’s managed the penetration testing team since 2018, directing them through tasks, improving testing procedures and cultivating collaborative relationships with clients.
We’ve previously interviewed James about the insider threat and security trends for 2024 and beyond.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.