Internal Penetration Testing

Last published posts

Mobile Application Testing: 10 Steps Approach
Posted on

Mobile application testing is crucial in order to create a reliable product. In this post, we’ll go over the entire testing process step-by-step. Testing is a crucial part of the mobile application lifecycle. However, due to all the time and effort, it takes to complete the full cycle of app testing, it gets overlooked by…
Read more…

Real Agile Approach to Performance Testing
Posted on

Performance testing helps to determine if a system is reliable and comfortable to use. In this post, we’ll explain the main principles of Agile performance testing as well as its benefits. Before launching an app or a website, it’s crucial for a developer and admin to know how the entire system behaves under stressful situations….
Read more…

THE MAIN ESSENCE OF DEVOPS
Posted on

In the development and delivery of software, the most important contribution of DevOps is the elimination of the time lag between project phases: development, testing, trial operation, and delivery of the product to the final consumer. The time2market indicator is one of the key indicators of the competitiveness of products and the success of companies…
Read more…

INTERNAL PENETRATION TESTING

Internal penetration testing is a method of evaluating the protection of the computer systems or networks of the customer by simulating the actions of the intruder who is trying to break in from the internal network of the organization. This intruder can potentially be an associate of the organization, a representative of the contractor, or customer.

The goal is to find system vulnerabilities that could appear as the result of faulty configuration, technical and programming errors, and operational faults in the processes and the technical control tools.

Problems it will solve

This process will minimize the risks related to the presence of system vulnerabilities that can allow an intruder to gain access to confidential, financial, or other unprotected information by searching for potential vulnerabilities and simulating an attack from the internal network of the organization.

Deliverables

The report on the internal penetration testing contains:

  • Information on the discovered vulnerabilities and their severity;
  • A list of vulnerabilities with a description of the problem and a method of its reproduction;
  • Recommendations for raising the current level of security of the information system;
  • Scripts developed in the testing process; and
  • Project results presentation (MS PowerPoint).

Example of the service

The modernization of the technological systems of an oil refinery caused the demand for confirming the adequate level of security functions. One of the main goals was to confirm a high safety level of the automated system of production.

During our security testing, we received access to the closed segment of the network through the work station of the operator, who had simultaneous connections to different segments. This allowed us to find the secure server with specialized software for process system management. After acquiring preferred rights, we were able to intercept the control signals. As a vulnerability demonstration, we wrote a script that allowed us to control the ventilation and cooling system screens. An attack on more critical systems was not conducted due to the high risk of destabilizing production.

Scope of Work

  • Information analysis of the system, its users, and their goals;
  • The conducting of a penetration test;
  • Analysis of the discovered vulnerabilities and their severity;
  • Writing of scripts, exploits, and practical uses with a record of application results; and
  • Preparation of the project results report and presentation.

Tools and licences

  • Nessus Vulnerability Scanner
  • Metasploit
  • MaxPatrol
  • RedCheck

Infrastructure

The customer arranges a work station in the organization’s local network with a set of privileges equivalent to those of the most probable intruder. The roles of users and operators, or roles with an expanded set of privileges, are typically chosen to act as potential intruders.

Penetration testing can be conducted both with or without notifying the internal services of the organization. A stealth attack mode can also help to uncover the reaction coordination between the internal services and the accuracy of conducting IS incident reaction procedures.