Intrusion tests focus on the technical aspects of security measures. During the analysis of the test results, the associated risks and possible causes of the identified vulnerabilities are determined, both from the client’s business perspective. The recommendations in the final report not only address technical security aspects but also the management and development of other operational processes within the organization.
The primary goal of Intrusion Tests is to map vulnerabilities in electronic services. These vulnerabilities can directly or indirectly lead to:
- unauthorized access to systems and data
- unauthorized use of systems and data
- adverse effects on the availability of these services.
The secondary objective is to identify the causes that have led to the vulnerabilities. These are often attributable to:
- Causes in the applied technology, such as errors made during development and implementation, as well as errors inherent in the technologies applied within the infrastructure.
- Causes in management, such as incomplete management procedures or errors and/or deficiencies in the execution of procedures
- Causes in usage, due to non-compliance with guidelines regarding the use of security measures.
To perform an Intrusion Test, the OSSTMM standard is followed and a step-by-step plan is used. This standard ensures a minimal negative impact on the tested systems, an objective execution of the test and weighting of the results, and a report that includes clear and constructive recommendations.
It is also important to note that an Intrusion Test is an iterative process that includes, among other things:
- Passive tests, including:
- Gathering information about reachable systems (via computer networks, telephone networks, or wireless networks), used network topologies, active (network) services per encountered system;
- Information about the client and the techniques and resources used by the client, including targeted Google queries.
- Active tests, in which possible vulnerabilities in information and control systems, network services, procedures, design, or configuration errors are exploited.
During all tests, continuous analysis of the results takes place to determine the cumulative effect of the vulnerabilities encountered in terms of risks and potential causes. In addition, recommendations are formulated during the tests to eliminate or reduce the risks to an acceptable level.
The components described below are specifically aimed at testing a web application, and for other applications, different aspects may be addressed differently. MKB SECURITY B.V. uses OWASP as a guideline for conducting tests on web applications, ensuring that there are sufficient safeguards for the completeness of the test. An important part of the OWASP guideline is the OWASP top 10, which includes the most critical vulnerabilities in a web application.
Reporting and Debriefing
Based on the results of the executed steps, a final report is prepared to document the findings. The purpose of the report is to communicate the findings through a written report and provide an oral explanation.
The report includes the following elements:
- Objectives, scope, and depth;
- Executive summary and key findings and recommendations;
- Detailed findings and recommendations of the tests;
- Analysis of possible causes of vulnerabilities found or not found.
To improve the understanding of the vulnerabilities found and recommendations made, it is beneficial to conduct a debriefing with the designers and administrators. During this discussion, recommendations can be further explained, or it can be investigated to what extent the target systems and administrators detected the steps performed. This can lead to further recommendations for improving measures for logging, generating alarms, and incident handling.