Penetration testing

Introduction

We prefer to consider the cyber security domain as a broader topic, not just as mere hacker proofing, but equally important as an effort towards better behaving, more robust, reliable, trustworthy and integral information systems.

Our penetration testing (pentesting) service, elfATTACK, is an ethical hacking service for assessing and testing the current security level of information systems and IT infrastructures.

Penetration testing is basically security testing: verifying security measures in practice. For example, the security level of a web application, a corporate server or a local area network can be tested by attempting to bypass its security controls, such as authentication or access request authorization. Sometimes a system might be doing an inadequate job, such as with input validation, allowing a malicious script to be planted for execution. The system might fail to properly validate and authorize inbound data requests, returning data that actually belongs to other users. Another potential failure would be using too weak or misconfigured data encryption, making it viable and affordable to compromise data security through brute-forcing or other cipher-text based attacks.

Application security testing may also be a good choice for auditing outsourced development. Besides security testing, we can support with development team maturity assessments as well as architectural assessments.

On this page we briefly describe our overall elfATTACK approach and the typical characteristics and contents of application and IT infrastructure targeting attacks.

Our pentesting approach

Penetration testing can be performed with various extents of scope and visibility. As with any testing, it is always a careful balance of effort, costs, and coverage. Having a more white-box type of visibility by combining source code review with the actual testing brings better coverage and understanding why the application behaves as it does. However, code reviews are quite laborious and are meaningful when limited to the most critical components and interfaces, such as user authentication payment transaction verification.

We have found that the best approach is to start with a walkthrough meeting or an architecture workshop, where the penetration testing target is introduced and demonstrated. Here we'll discuss and analyze the target's role in the organization's business, gaining understanding about the criticality of the platform, the information handled by the platform and the cyber security risks associated.

By understanding the business requirements and the target level of the protection, the testing can be better dimensioned and implemented.

For the duration of the actual security verification in the penetration testing phase, we setup a secure chat channel for effective communication between our penetration testers and the customer's development team. This enables fast clarifications, immediate reporting of the findings as well as good communication for agreeing about fixes and re-testing, already during the assignment.

Critical findings and vulnerabilities that have emerged in the test are reported immediately to allow the customer maximum time to respond to the need for repair.

Phasing and scheduling

The overall phasing of the elfATTACK penetration tests is illusted below.

elfATTACK high level process
  1. Workshop to assess the overall architectural cyber security posture. Depending on the extent of our scope, the architecture workshop can be a more in-depth review of the target system's trust boundaries, with technology stack considerations and often contains initial attack vector identification to be utilized in the later testing phase.
    1. A summary of the matters addressed in the workshop, the architecture overview and the most important aspects from the cyber security point of view will be included in the final report.
    2. An important part of the workshop is also to ensure that all practicalities like the target system and necessary credentials are in place.
  2. Penetration testing of an information system or IT infrastructure. In this phase, the actual security testing is conducted. All findings and testing progress is dynamically reported as we proceed, also information and evidence is collected to be used in the final report.
  3. Final security assessment report is created, delivered to the customer using secure channels and finally presented in the closing meeting.

As the bulk of the testing is elfGROUP's work phase, the customer is not required to invest much time. The architecture workshop is normally few hours and the closing meeting about one hour. In calendar time, a typical elfATTACK testing period including reporting is about 2,5 calendar weeks from the workshop.

Once the testing is completed, we conclude with the reporting phase, always delivering a hand-written professional report with steps to re-produce, risk considerations and practical mitigation guidance.

A closing meeting is then organized to discuss the report and address any open topics or concerns raised.

Incremental or full testing to support Secure SDLC

In effort to support secure software development life cycle activities, it is very important to consider the security aspects early on. By defining security requirements and verifying that those are met as part of the milestone criteria, it is much less likely that the security topics are skipped when the release rush starts to realize.

In software security testing, the testing scope can be incremental to cover newly added features or it can be done with full application scope. Depending on the changes done and the development life cycle status, the testing effort can be easily adjusted. It is, however, considered sensible to perform regular penetration testing rounds to check for potential regressions in the code or in the runtime environment.

We recommend security regression testing to be performed when the application or the runtime platform has been modified. It is not always the source code changes that make new issues surface, as compatibility issues may arise from e.g. any software update.

Deliverables

elfGROUP's cyber security professionals have strong background in software engineering and architectural design. We always strive to consider the identified vulnerabilities from the developers' or sysadmin's perspective and to include tangible mitigation guidance in our expert hand-written testing reports. Tool auto-generated reports are not normally provided as these tend to cause more confusion and frustration than benefit.

Penetration testing performed safely in test environment

We strongly recommend to perform security testing in a dedicated test environment to avoid limiting the tests and tools used. If needed, elfGROUP can provide an isolated virtual server environment where the test target can be deployed for low-latency and side-effect free testing. Often, if the testing has to be done in a production environment, there will be restrictions on the load caused and test methods allowed.

It is important to understand that malicious hackers do not restrict the use of their tool selections because the target system is in production use.

Selecting the right methodologies and services

elfATTACK can be a combination of black-box penetration testing and more transparent white/gray box approaches, even including source code reviews. The best combination of tools and methods is selected for each client to ensure that the most critical points in the target environment are also most carefully tested. It is possible to combine penetration testing with more detailed architecture assessments, which improves the accuracy of the evaluation and enables the customer to reach a higher level of CyberSafe certification.

elfATTACK Application

elfATTACK Application focuses on the defined target information system. During a typical application testing, we will attempt to identify ways to bypass input validation, authentication and authorization, business logic and other technical controls as well as to discover completely missing security controls.

We will identify security vulnerabilities in an application’s web interface and API interfaces using various manual and automated testing methods. Frequently, tested systems handle or contain confidential or priviledged information and require a third party assessment of the security level to be conducted.

The engagement focuses on the correct operation of the implementation from security attributes point-of-view to ensure processed data confidentiality, integrity and the continued availability of the platform. For one, the presence of state aware request handling and graceful failures in case of out-of-scope or invalid requests received will be validated.

The elfATTACK Application pentesting and the supporting architecture assessments emphasize software assurance, predictable reliability.

Developer oriented full reporting of the assessment coverage and results is provided after the testing. Our reports are always hand-written by senior cyber security experts to minimize false-positives and to elaborate on the implications of the findings and the recommended mitigation procedures.

Security verification of API endpoints typically requires availability of a client or a web front end that utilizes the API. This can also be a developer tool, a Postman query collection (along with API documentation, such as Swagger API) or such that can be used to understand the API structure and to generate properly constructed and valid messages. Reverse engineering and hijacking the requests is also an option, but causes more work.

elfATTACK Infrastructure

elfATTACK Infrastructure follows similar elfATTACK engagement process, starting with a collaborative workshop to discuss, detail and document the assessment scope. Focus is on the infrastructure security, for example visibility of services, their patching status, known vulnerabilities and exploitability. Infrastructure testing can be targeted in specific network segments or services and it can be performed with either an internal or external network perspective.

Along the lines of a red team hacker penetration engagement, we work together with the customer's technical team to walkthrough the target IT infrastructure and it's current technical security controls to understand and document the starting point, defining the scope and agreeing on the allowed measures of penetration attempted.

The IT infrastructure penetration testing is suitable for verifying the security of and identifying security vulnerabilities of e.g. an on-premise or cloud hosted IT environments, WiFi networks, server environments, remote working or teleworking setups.

Infrastructure penetration testing can be combined with server configuration reviews (security hardening, reliability, auditability).

We regularly work with the cloud hosting instances hosted with Amazon AWS, Microsoft Azure and the Google Cloud.

CyberSafe certification

CyberSafe certification can be granted for applications and corporate infrastructures that pass the security testing without high criticality findings.

Getting started

Please contact us to discuss your security testing need. We will provide you with a tailored commercial proposal which we believe will best help you forward in securing your data, applications and infrastructure.

CUSTOMER TESTIMONIAL
Raute

elfGROUP assessed the cybersecurity of our digital services, and tested their information security vulnerabilities. With these results we were able to develop our products even more reliable. The benefits will transfer straight to our customers. Thanks to elfGROUP’s services, I can sleep better, knowing that an external specialist has ensured the reliability of our services.

Mika Hyysti
Group Vice President, Technology
Raute Oyj