Domain 5 · 5.5 Audits & Assessments

5.5.3 Penetration Testing

Physical, offensive, defensive, integrated.

17 min

Penetration testing is a simulated cyberattack against a computer system to identify exploitable vulnerabilities and evaluate security posture.

Penetration Testing Methodologies - Offensive Security: The proactive use of hacking techniques to uncover weaknesses. It is a "Red Team" approach focusing on breaking through defenses. - Defensive Security: The "Blue Team" approach, focusing on asset protection, detection, and incident response during an exercise. - Integrated/Purple Team: A collaborative framework where offensive and defensive teams share real-time data to improve overall security maturity. - Rules of Engagement (RoE): Formal documents defining the timeline, scope, and permissible actions to prevent business disruption.

Physical Penetration Testing - Physical Controls: Testing the efficacy of barriers like fences, bollards, and locked gates. - Location-Based Security: Exploiting or testing the Somewhere You Are attribute. This involves verifying if a system restricts access to a specific physical room or a logical location (e.g., a specific subnet or workstation). - Physical Bypasses: Using techniques to bypass guards, cameras, and badge readers. Examples include tailgating (following someone into a secure area) or using social engineering to gain physical entry.

Social Engineering and OSINT - Open Source Intelligence (OSINT): Using public tools and Artificial Intelligence to gather data on a target before an attack. - Principles of Influence: Leveraging urgency, authority, or social proof to trick employees. - Attacks: Testing staff against phishing, vishing, or physical credential harvesting.

Specialized Environments - Cloud Testing: Assessing Cloud Architecture Models (IaaS, PaaS, SaaS). Tests focus on unique cloud security solutions, misconfigured storage buckets, and identity management. - Embedded & ICS: Testing specialized hardware, such as SCADA/ICS systems, where traditional scanning might crash the service. - Machine Learning: Evaluating Adversarial AI where attackers attempt to poison training data or bypass ML-based detection logic.

Assessment Comparison - Vulnerability Scanning: A passive or non-intrusive search for known weaknesses (e.g., missing patches). - Penetration Testing: An active, intrusive attempt to exploit vulnerabilities to determine the depth of potential impact. - Threat Hunting: A proactive, hypothesis-driven search through logs and data to find existing threats that bypassed initial security controls.

Quick recall - Red Team: Offensive; mimics the adversary. - Blue Team: Defensive; protects and responds. - Purple Team: Knowledge sharing between Red and Blue. - Somewhere You Are: Location factor (physical room or logical IP/subnet). - Something You Know: Knowledge factor (passwords/PINs). - Something You Have: Possession factor (smart cards/hardware tokens). - Bollards: Physical posts used to prevent vehicle ramming.