The Azure penetration test helped the client identify and remediate multiple issues and misconfigurations, harden their infrastructure and calculate potential risks.
Several factors can influence the selection of the right penetration testing for your business. These factors include:
- Business Objectives: Your specific business objectives will guide the type of penetration testing you need. Whether you want to identify vulnerabilities in your network infrastructure, web applications, mobile applications, or other systems will determine the focus and scope of the testing.
- Industry and Compliance Requirements: Different industries have specific compliance regulations and standards that may dictate the type and extent of penetration testing required. For example, healthcare organizations may need to comply with HIPAA regulations, while financial institutions may need to adhere to PCI DSS standards. Understanding these requirements is crucial in selecting the appropriate penetration testing approach.
- Risk Profile: Assessing your organization’s risk profile is essential. Consider the sensitivity of your data, the potential impact of a security breach, and your risk tolerance. A thorough risk assessment will help determine the depth and intensity of the penetration testing needed.
- System Complexity: The complexity and diversity of your IT infrastructure and systems will impact the type of penetration testing required. Network architecture, operating systems, web applications, cloud infrastructure, and other components should be considered when selecting the appropriate testing methodologies and techniques.
These are just a few examples of how different types of penetration tests can be applied based on the specific requirements and infrastructures of the clients. Customizing the penetration testing approach to meet each organization’s unique needs and security concerns is essential.
Example 1. Startup.
The client is a startup operating in the market for a few years, providing a cloud-based SaaS solution. They serve 5000 external users. They have never conducted a penetration test. Their internal and external infrastructure is on the cloud.
- It is necessary to conduct penetration testing of all web applications, mobile applications, and APIs.
- External infrastructure penetration testing will reveal which services are accessible to external users, check the correctness of the configuration, identify vulnerabilities in the versions of the software used, and identify other vulnerabilities.
Example 2. Financial service provider.
The client is a financial service provider processing cardholder data, requiring annual PCI DSS certification. Their infrastructure is a mix of on-cloud and on-premise. They have conducted infrastructure (external and internal) penetration tests, web, mobile application, and API penetration tests for the past three years.
- To obtain a deeper analysis of real attacker paths, conducting an adversary simulation and phishing attack in addition to the internal infrastructure penetration test is necessary. Segmentation testing is also required.
- All necessary external infrastructure and applications penetration tests should be performed, supplemented with social engineering. This allows the exercise of internal user awareness of cybersecurity and additional entry points for external attackers into the internal network.
Example 3. Food manufacturer.
The client is a food manufacturer. They have an IT department configuring internal network segments, setting security policies, and supporting over 300 users. The internal network infrastructure is on-premise. They have a promotional website.
- The company needs an internal infrastructure penetration test and adversary simulation.
- Penetration testing of the website is not mandatory if the website is hosted separately and there is no data flow from the external network to the internal infrastructure.
- During the second stage, it is recommended to conduct social engineering exercises to understand the paths and possibilities of external attackers penetrating the company’s internal network.
Example 4. Government registry.
The client is a government registry. They provide an external API for other government services or end users through a service portal. The infrastructure is on-premise. A contracted company handles the development of the API.
- It is necessary to conduct penetration testing of the API and service portal to ensure no vulnerabilities.
- Penetration testing of both the internal infrastructure of the government registry and the contracted company is required to prevent the leakage of personal data in both organizations.
- External infrastructure vulnerability assessment of the government registry and the contracted company should be performed to identify other externally accessible services that attackers could use to gain entry into the internal network.
- Conduct a social engineering exercise for users in both organizations to prevent an attacker from infiltrating the internal network.
- An infrastructure security audit will help to identify vulnerabilities in both organizations’ networks, systems, and devices. It allows for proactively discovering weak points that attackers could potentially exploit.
Your Cyber Resiliency is Our Passionget a quote
About penetration testing:
Evaluating EDR Product against Threat Actors: Uncovering Limitations and Collaboration for Enhanced Detection of Multiple Killchains.
Adversary simulation assessments allow to completely emulate the actions of a malicious individual and trigger proper security team response.
During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
Infrastructure penetration testing focuses on the security of both the application environment and the supporting infrastructure, including third-party services and applications. The testing is performed with a combination of manual and automated techniques, tailored for the specific environment.