Security Assessments

Penetration Testing

Pentesting is the practice of testing a computer system or network to find vulnerabilities that an attacker could exploit. In addition to identifying vulnerabilities the assessor attempts to exploit these vulnerabilities to gain privileged access to a system, network or application.

In black box penetration testing, the tester has very little or no information about the targets being tested and is designed to emulate an external attacker. A white box test is a more comprehensive test, where the tester is provided a wide range of information including source code and/or business logic for applications being tested. It is designed to emulate an internal attacker or one with intimate knowledge of the system, such as system administrators or software developers. Finally, grey box testing is a combination of both. The tester receives partial or limited information about the internal details of a system.

Hanlinca Solutions adheres to the following industry-accepted Penetration Testing methodology:

Planning
The planning phase starts with defining goals and objectives of the penetration test. Generally, the objectives are to identify vulnerable systems, improve the security posture of technical systems and have IT security confirmed by an external party. The client and tester jointly define the scope and rules of engagement and discuss any security controls that may impact the test. Whiteboard sessions are conducted to gain better understanding of the infrastructure being tested and obtain additional information based on the type of penetration test (black, grey, white).

Reconnaissance
The information gathering phase starts with analysis of preliminary information obtained in the planning phase. Public domain searches are performed to gather information about the target organization and systems. This may include domains or addresses, external vendors/partners, employees and administrators, technologies and potential vulnerabilities. The information is used to plan active intrusion activities.

Discovery/Enumeration
During this phase, active scans are performed on the target scope to enumerate live hosts and develop a better understanding of the network landscape. Through the use of automated and manual tools the tester is able to identify:

    • Network devices and hosts
    • Operating systems and versions
    • Open ports and running services
    • Web applications and authentication mechanisms
    • Protection mechanisms (ex. Firewalls, IPS/IDS, WAFs)
    • Operating system/application vulnerabilities and mis-configurations

This information is used to create a plan of attack for active intrusion activities.

Exploitation
The tester will attempt to exploit various vulnerabilities found in previous phases. Exploitation frameworks are used to launch exploits in a systematic manner and manually created scripts based on publicly available code are used to gain control of a target system. The tester will likely utilize various brute force authentication and social engineering tactics help compromise systems.

Once a system is compromised the tester evaluates the type and level of access gained and performs privilege escalation attacks in situations where the exploit attempt did not produce super-user access.

Often, information learned during successful exploitation is used to attack or gain direct access to other devices on the network. Whenever possible, compromised devices are used as pivot points allowing the attacker to move laterally through the network.

The exploitation phase must be executed properly because there is always a chance that the executed exploit may bring down a production system. The tester will carefully research exploits in a staging environment to ensure minimal impact.

Depending on the rules of engagement the tester may perform additional activities, such as main-in-the-middle (MITM), credential harvesting and pillaging. Pillaging may include collecting sensitive data about the network or systems and proprietary or sensitive information stored in files and databases.

Final Analysis
Collective findings are compiled and analyzed. The goal of this phase is to identify potential risks to the client organization and, whenever possible, how they impact business operations. Often these findings lead to better understanding of underlying issues such as insecure network design and lack of proper segmentation, patch management, configuration/hardening standards or training.

Report
Formal report is produced and presented to the client. The report provides an executive summary, detailed findings, risk level of vulnerabilities found, business impact and recommendations.

Web Application Testing

Web application testing is the activity of assessing a system for the presence of security weaknesses. As more and more sensitive data is stored within your business applications, proper security testing is vital to ensuing your critical software is operational and your confidential data stays… confidential.

Web applications must be available 24/7 and offer data access to your employees, customers and suppliers. They are frequently the weak link in your security ecosystem, especially when exposed to the Internet. Some of the lesser-known commercial products or custom built applications are not built to the same security standards as fully-commercial applications. Worst of all they do not have a team of specialist creating and deploying security updates on a regular basis. This makes them excellent candidates for period security testing.

There are two general types of testing, static and dynamic. Dynamic testing involves sending requests to a live application and observing the output for indication that a vulnerability is present. Automated tools are often used to discover common types of issues, such as cross-site scripting, SQL injection and well-known misconfigurations. Static testing involves review of source code, configuration files and other items not visible in a running application. Static analysis opens up opportunities for a more thorough analysis because the tester has full visibility into the inner-workings of the application. This helps to reduce false positives as well as false negatives.

The Open Web Application Security Project (OWASP) aims at educating developers, designers, architects and organizations about the most important types of web application security flaws. It provides very powerful fundamental techniques to protect against these high-risk areas.

Hanlinca Solutions follows the OWASP methodology during its web application testing to provide a standardized and concise assessment.

Scroll to top