The world lives online; our identity, credit card information, passwords, photos, locations, buying habits, search history – everything. As an organization, every piece of propriety information, company financials, employee records, customer transactions and information gathered from website visitors is stored somewhere and is vulnerable to being hacked. Now, more than ever IT security should be the priority of organizations. One very important form of IT security is objective-based penetration testing.
To understand objective-based penetration testing we must first understand penetration testing. Penetration testing begins with defining the scope of systems to test; network infrastructure, servers, Point of Sale (POS) devices, etc. Next, an IT security consultant, or “ethical hacker”, will attempt to compromise each of the in-scope systems, and at the end of the assessment will provide a report outlining any findings contained within these systems which may lead to the compromise of sensitive information.
Alternatively, objective-based penetration testing begins with defining objectives; what information are we trying to protect? Typical objectives include: obtain access to high-security networks, access to sensitive information, or control over a target. From there an IT security consultant will develop a plan to reach the objective through any possible attack technique in order to locate the weakest link; physical, logical, or social.
- USB device drops: USB devices with malicious payloads, specially designed USB devices which are actually keyboards that run a sequence of key strokes to compromise the system they’re plugged into
- Devices planting: After obtaining access to the environment, planting a physical device which may enable additional attacks to be launched from a remote location.
- Tail gating: Walk into the office at a peak time behind an authorized employees
- Card cloning: Clone an authorized employee’s RFID badge at a public location (e.g., Starbucks, Subway, etc.)
- Infrastructure: Conventional attacks on exposed IT Infrastructure with a focus on identifying and exploiting software flaws, configuration, or weak credentials within the environment.
- Application: Testing of web and mobile components with a focus on obtaining access to or modify sensitive information or to build client-side attacks that can be used in other testing techniques (e.g., phishing).
- Wireless attacks: Targetted attacks on exposed wireless infrastructure and clients attempting to obtain access to the wireless network or an endpoint that does.
- Social engineering: Call from IT asking for passwords, job applications, fake deliveries,
- Phishing: E-mail campaigns with malicious links, asking for credentials, fake password resets, fake updates, etc.
Objective-based penetration testing approaches an objective from all angles to ensure that information remains secure. This type of testing more accurately simulates the attacks launched by a malicious party. At the end of the testing period, you will receive a report outlining the method used to obtain access, attack narratives to outline how a particular objective was obtained and a high-level assessment of your organizations overall security posture with recommendations to improve security.