Why Penetration Testing is Necessary
As a part of an overall defence strategy, testing the defenses is a key thing. The tests are carried out using multiple techniques and consist of conducting:
- Vulnerability Assessment
- Penetration Testing
Penetration Testing is conducted to exploit the known and unknown (zero-day attacks) vulnerabilities/ loopholes in your digital ecosystem. The Penetration Testing exercise uses the inputs from Vulnerability Assessment and checks for feasibility of data leakage/ unauthorized access. There are various types of scenarios tested:
- Black Box: This is a ‘No knowledge’ test and exploit which tests for a classic outsider scenario
- Grey Box: This is a ‘Partial knowledge’ test and Partial access. ‘Can we do more?’ – is the target objective of this exercise. This tests for a scenario where the unauthorized actor has gained some information and is now trying to use and exploit that information
- Combo Tests: These are a mixture of Black box and Grey box, Social Engineering, Phishing, Testing SOC defenses, Testing Incident Response, Testing Perimeter defense, Testing Applications, Source Code Review
How we do this at Arrka? The Arrka approach is:
- Check for ‘breadcrumbs’ – these are bits of information scattered around the web and with people. So we use techniques of scavenging, dumpster diving, war dialing, brute force, social engineering, phishing to check for exploit areas. This is classic probing and testing of defenses.
- For all such exploits identified, we run tools and manual scripts to breach using the exploit. We have our own scripts and attack vectors as well as other tools.
- Generate report with recommendations for mitigation (including configuration changes)
We believe all tools if configured correctly for the mitigation of the risk, perform well. We focus on existing tool configuration first and bring this to an acceptable risk level. Our recommendations are a combination of techniques required for closure of the mitigation. We use multiple frameworks like OWASP, NIST, various cyber security regulatory guidelines and our own knowledge base for defining the attack vectors and scenarios. For further details, do contact us. Please note that for getting a complete risk posture, it is optimal to combine Vulnerability testing with Privacy testing