- Reconnaissance – Use of nmap and similar tools to identify systems, their purposes, services and their versions etc.
- Automated Testing – Use of automated testing tools to perform a huge range of tests on all the hosts within the scope and give a detailed overview of what vulnerabilities might be present in them.
- Manual Testing – Manual testing for multiple vulnerabilities based of results of the 1st and 2nd phases of the PenTest
- Exploitation and Verification – Exploitation of identified vulnerabilities using private or public exploits, to test how much access into the network infrastructure is possible without causing damage or disruption.
- Post-Exploitation – Use of various tools and scripts with/without exploits to gain further information about the system, so as to increase hold over the entire network. Example of this would be Domain-Wide brute forcing after exploiting Windows Null Session vulnerability. Or dropping meterpreter payloads to obtain hashes and other information after exploiting MS08-067 vulnerability. This is done on explicit request by the client.
Test will include
- Attempting to guess passwords using password cracking tools.
- Searching for back door traps in the programs.
- Attempting to overload the system using DDoS (Distributed Denial of Service) &DoS (Denial of Service) attacks.
- Checking if commonly known holes in the software, especially the browser and the e- mail software, exist.
- Checking the weakness of the infrastructure.
- Taking control of ports.
- Cause of application crash.
- Injecting malicious codes to application and database servers.
Results for Vulnerability Assessment and Penetration Test will include
- i) Network Security
- Password Security Testing
- Switch Security Assessment
- Router Security Assessment
- Firewall Security Assessment
- Intrusion Detection System (IDS) Security Assessment
- VPN Security Assessment
- Anti-Virus System Security Assessment and Management Strategy
- Storage Area Network (SAN) Security
- WLAN Security Assessment
- Wireless Network Security Testing
- Internet User Security
- Lotus Notes/ Any Other Mail Security
- ii) Host Security
- Unix /Linux System Security Assessment
- Windows System Security Assessment
- Web Server Security Assessment
- Other relevant/ mapped application Security Assessment
iii) Application Security
- Web Application Security Assessment
- Injecting malicious codes to application software.
- Searching back door traps in programs and application log files for malicious attempts to access, retrieve credentials, seek/change information.
- Functionality testing involves input validation and transaction testing.
- Authorization testing involves testing the systems responsible for the initiation and maintenance of user sessions.
- Checking weaknesses of software structure and cause of application crash
- Source Code Auditing (if any)
- Binary Auditing (if any)
- Application Security Evaluation Checklist
- iv) Database Security
- List of security vulnerabilities that could be used to defeat or bypass security controls, break into the database, compromise the system.
- Assessment of unauthorized or unintended activity or misuse by authorized database users, database administrators, or network/systems managers, or by unauthorized users or hackers.
- Assessment of malware infections causing incidents such as unauthorized access, leakage or disclosure of personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of authorized access to the database, attacks on other systems and the unanticipated failure of database services.
- Assessment of overloads, performance constraints and capacity issues resulting in the inability of authorized users to use databases as intended.
- Assessment of design flaws and programming bugs in databases and the associated programs and systems, creating various security vulnerabilities, data loss/corruption, performance degradation etc.
- Assessment of data corruption and/or loss caused by the entry of invalid data or commands, mistakes in database or system administration processes, sabotage/criminal damage etc.
Additional Tests – Social Engineering
- Blind and double blind testing includes Non face-to-face and Face-to-face or advanced social engineering techniques.
- Assessing the ability of the bank’s people to contribute to or prevent unauthorized access to information and information systems
- Determine the level of security awareness among employees.
Additional Tests – Necessary Forensic Analysis
Identify and analyze of the intruders, any malicious malware, worm or any harmful system/object’s presence in the bank’s network, database, system and recovering of the damaged data/information and presenting facts and opinions about the whole digital system.
Report will include
· Detailed technical vulnerability findings · Risk rating for each vulnerability. · Supporting detailed exhibits for vulnerabilities when appropriate · Detailed technical remediation steps.
Step#2: In house awareness training on Information Security best practices
Training & updating the internal staff on industry best practices, security do & don’t. It will be 1 day x 8 hour training for IT guys, as well as non-technical staff from other departments who are equally responsible for maintaining security within the organization. Topic of training will vary from current security threats in the market, to hardening security in each dept.
Typical example – Phishing, finance frauds, role of HR in information security, vendor management, business continuity planning, incident handling & root cause analysis, patch management, capacity monitoring, physical security controls, anti virus, firewall, backup & restoration process, password policies, ransomware, remote working, BYOD, mobile security, data leakage prevention techniques, etc.