A penetration test exposes exploitable vulnerabilities and mitigates the risk of individuals or groups gaining unauthorised access to systems.

It is best to conduct regular penetration tests on your infrastructure and applications as part of your security regime.

There are many different pen tests available. These include:

• External Testing
• Internal Testing
• Web Application Testing
• Wireless Testing
• Remote Access and VPN Testing
• CHECK Testing
• Device Testing
• Firewall Review
• Build and Configuration Reviews
• Vulnerability Assessments and Automated Scanning
• Social Engineering
• Cyber Essentials

For 25 years, Sapphire’s pen testers have been delivering successful testing and vulnerability analysis services for organisations across the UK.

This blog post will provide an overview of each penetration test type and its benefits.

External Network Penetration Testing

There are a variety of routes whereby a bad actor can gain unauthorised access to an organisation’s systems. They range from telephony solutions, modems, ISDN and DSL, to name a few. These systems are used for various business purposes, including; support for remote and home working by staff, dedicated connections with organisation partners and suppliers, and access to public networks (e.g. Internet) and third-party networks.

When deciding on the scope of an external penetration test, the organisation needs to consider what external communication routes and services the organisation believes could be breached intentionally or accidentally. For this reason, an organisation may decide on one or several types of penetration testing below to expose vulnerabilities and bolster their defences.

Firewall Configuration Testing: a test to assess whether the configuration rules are deployed at an internal network or external (Internet) boundaries. A firewall configurations review helps to build and maintain confidence in the security of your organisation’s perimeter security controls.

Internet Vulnerability Scanning: this test scans the customer’s Internet connection to determine what services and associated vulnerabilities may be exposed to the outside world by cyberattacks providing insight and intelligence around the organisation’s exposure. 

Perimeter Network Testing extends remote testing by checking for vulnerabilities that may only be visible inside the external router. Perimeter Network Penetration Tests help determine the dependency on the external router, which may be the third-party supplied and configured.

Email Testing: various email services are available, each with potential and known security vulnerabilities. In Email penetration testing, a pen tester will require an investigation of each type of mail service used, which may be externally visible to determine their vulnerability.

Firewall Bypass Testing: during this process, a pen tester will examine the security hardening and configuration of the firewall and other exposed systems to establish how resistant they are to further penetration should unauthorised access be achieved.

System Access via Modems: The objective here is to identify, wherever possible, the type of connection service offered by active modems and whether these may present an opportunity to the outsider to gain easy access to a computer system.

Telephone Scanning: The concern here is that there may be unauthorised or ‘semi-official’ modems connected to organisations’ phone lines and providing access to their computers. The hacking and phone phreaking community use scanning techniques for detecting these and any authorised modem lines.

Internal Network Penetration Testing

The main objective for this type of pen test is to determine what an attacker(s) could achieve, with some level of authorised access to the organisation’s IT services, by exploiting security weaknesses and vulnerabilities in the IT system.

There are three levels to Internal Network Penetration Testing:

1. Network Level: testing for vulnerabilities in the internal network services can provide insight into how an attacker could gain unauthorised access to computers and services on the network.
2. Computer Level: testing for security misconfigurations and vulnerabilities in the operating systems attached to the organisation’s networks. 
3. User Level: testing that is carried out based on the access levels of various user roles to determine the potential impact of an insider threat.

Web Application Penetration Test

Each time an organisation uses or publishes web-based applications, it is best practice to conduct a test to identify ways to exploit the application. 

Typically in two stages, the pen test will be completed initially with no authentication to the web applications and then with a valid user account for testing privilege escalation vulnerabilities and assessing any weaknesses with the authentication and authorisation mechanisms.

Remediation advice will be offered about security configurations and vulnerabilities identified. Most web applications are tested following the (Open Web Application Security Project) OWASP guidelines.

Social Engineering & Physical Penetration Testing

These types of penetration testing have the same objectives as network penetration tests to identify weaknesses and vulnerabilities. However, rather than focusing on a software or hardware system, a social engineering pen test focuses on the people within an organisation. 

Physical Penetration Testing simulates a situation to breach the physical security defences within an organisation and is often utilised within a wider social engineering exercise. Examples can involve pen testers tailgating employees to gain physical access to a building.

A physical penetration test can include activities like shoulder surfing to see what confidential or sensitive information can be retrieved and social engineering to gain access to secure or restricted areas. 

Wireless Pen Testing

A single weak link poses a valid security threat to the entire corporate network. However, Wi-Fi networks can provide sufficient security if configured correctly. A WLAN security audit should be conducted regularly to ensure compliance and aid in the early detection of vulnerabilities. Sapphire feels this is the right approach when you want to evaluate the security of specific devices or to analyse the evolution in security after applying technical changes.

The Sapphire Wireless Security Audit is a method of evaluating the Wi-Fi Security aspects of your networks. This can be achieved by simulating attacks against authentication, encryption or even “man-in-the-middle “attacks. Using various tools and processes, Sapphire will try to break into Wireless LANs by ethical hacking against standard security methods such as MAC authentication, WEP, WPA and WPA-2.

This audit aims to break into a wireless network to gain access to the network. Additionally, Sapphire can set up rogue and fake Access Points, waiting for users to connect to capture all activities they perform. Many of the tools used during WLAN penetration testing are the same tools that hackers may use for malicious purposes.

Sapphire will not use Wireless DDoS Attack Testing as this process can bring the wireless network to a complete hold by either jamming the wireless spectrum or overloading the Access Points.

The testing will check for common configuration errors that could allow an attacker to compromise the network. Sapphire will examine wireless infrastructure for weaknesses that may allow an unauthorised user to access back-end systems.

Typically, we will review the corporate and guest (SSIDs) from your Wi-Fi network and, where appropriate, analyse any infrastructure configuration files and client profile settings.