RFP For Internal,External Network and Wireless Penetration Testing

1. Understanding the Scope and Objectives

Define the Scope: Identify the specific internal network segments, systems, and Servers, VPN, Routers, Switches, Firewalls, IDS, IPS, Anti-Virus, DLP and Load balancers that are within the scope of the penetration test. This may include servers, workstations, databases, and other critical infrastructure.

Establish Objectives: Determine the goals of the penetration test, such as identifying vulnerabilities, assessing the effectiveness of security controls, and testing incident response procedures.

Goal: Verify the security setup and configuration of internal/External organization IT infrastructure. It will include the associated networks and systems with a perspective of ensuring CIA and authenticity of data and information systems.

2. Pre-Engagement Activities

Gather Information: Collect relevant information about the internal network, including network diagrams, IP ranges, domain names, and the types of systems and applications in use.

Legal and Compliance Considerations: Ensure that all activities comply with legal and regulatory requirements and obtain necessary permissions from the organization.

3. Reconnaissance

Passive Information Gathering: Use publicly available information to gather details about the organization’s internal network, such as employee names, email addresses, and technology used.

Active Information Gathering: Perform network scanning and enumeration to identify live hosts, open ports, and services running on the internal network.

4. Vulnerability Analysis

4.1 Network discovery

Network discovery is a critical aspect of network security and management. It involves the use of various methods to identify active hosts within a network, assess vulnerabilities, and understand its operational dynamics. Both passive and active techniques are employed for device identification.

Passive techniques involve using a network sniffer to analyze network traffic, recording IP addresses of active hosts, identifying in-use ports, and discovering operating systems. This method provides insights into host relationships, communication patterns, and traffic types without deploying probing packets. However, it can be time-consuming and may miss hosts not engaging in traffic during monitoring.

Active techniques, on the other hand, involve sending network packets to solicit responses from hosts, such as ICMP pings. OS fingerprinting and port scanning are common methods used to identify hosts, their operating systems, ports, and port states. These techniques are widely used for penetration testing, topology mapping, firewall and IDS configuration assessment, and vulnerability discovery.

Network discovery tools can use various scanning methods, and assessors must consider the ability of firewalls and intrusion detection systems to detect scans, especially those using suspicious packets. Scans should be conducted stealthily to avoid detection, considering factors like scan speed and source IP variety. Caution should be exercised when scanning older systems to prevent potential system failures.

Network discovery may also reveal rogue devices on a network, including unauthorized operating systems. Identification of a wired rogue device involves locating it through network maps, analyzing network activity, identifying the connected switch, and physically tracing the cable to the device. Various tools, offering GUIs and command-line interfaces, are available for network discovery, each with its own advantages.

Both passive and active discovery methods have their own advantages and limitations. Active discovery allows assessments from different networks and requires less time for information gathering, while passive discovery may be time-consuming, especially in larger enterprise networks.

It’s important to note that the information received from both passive and active discovery methods is seldom completely accurate.

4.2 Internal Network Penetration Testing Services

• The Supplier shall provide network penetration testing Services including but not limited to the following:
• Provide penetration testing from both inside and outside of Customer’s network
• Identify targets and map attack vectors (i.e., threat modelling)
• Internet Protocol (“IP”) address mapping of network devices
• Logical location mapping of network devices
• Transmission Control Protocol (“TCP”) scanning, connect scan, SYN scan, RST scan, User Datagram Protocol (“UDP”) scan, Operating System (“OS”) fingerprinting (OS fingerprinting is the combination of passive research and active scanning tools to generate an accurate network map)
• Banner grabbing
• Brute force attacks
• Network sniffing
• Spoofing
• Initiating a Distributed Denial of Service (DDoS) attack upon request.

4.3 External Network Penetration Testing Services

• Objectives of the external penetration testing engagement
• Scope of the testing, including specific systems, networks, and network devices to be included.
• Detailed requirements for the testing methodology and tools to be used.
• Expected deliverables, such as a comprehensive report detailing vulnerabilities and recommended remediation actions.
• Qualifications and experience required for the external penetration testing team.
• Timeline and milestones for the testing process
• Compliance requirements, such as adherence to industry standards or regulatory frameworks
• Evaluation criteria for selecting the external penetration testing provider.
• Legal and confidentiality considerations, including data protection and nondisclosure agreements.
• Budget and cost considerations for the external penetration testing engagement

5. Grey Box Testing

• The grey box methodology is pertinent to internal network penetration testing, involving a controlled level of information disclosure to simulate insider knowledge, enabling a comprehensive evaluation of security measures within the network.
• Information Sharing: Obtain limited information about the internal network, such as network diagrams, system configurations, and security controls, to simulate an insider threat scenario.
• Simulated Insider Threat Attack: Emulate the actions of an insider with legitimate access to the network to assess the effectiveness of internal controls and identify potential vulnerabilities that could be exploited by insiders.
• Privilege Escalation: Attempt to escalate privileges within the network to assess the effectiveness of access control mechanisms and boundary protections.

6. Black Box Testing

• Limited Information: Conduct testing with minimal knowledge about the internal network infrastructure, simulating an external attacker’s perspective.
• Comprehensive Network Discovery: Identify and map all active devices within the internal network.
• Vulnerability Analysis: Conduct automated and manual assessments to identify potential weaknesses.
• Exploitation Testing: Assess the impact of exploiting identified vulnerabilities.
• Post-Exploitation Assessment: Evaluate lateral movement capabilities and internal segmentation effectiveness.
• Systematic Enumeration: Enumerate services and applications running on discovered devices.
• Stealth Testing: Mimic real-world attack scenarios without disrupting critical business operations.
• Network Resilience Evaluation: Determine the network’s ability to withstand and recover from attacks.
• Zero Knowledge Approach: Perform testing without prior knowledge of internal network details.
• Threat Simulation: Emulate various threat scenarios to assess network defenses comprehensively.
• Reporting: Provide a detailed report with actionable recommendations to enhance network security

7.Wireless Penetration Testing

• Identification of non-encrypted rogue Access Points (AP) with internet tethering and Address Resolution Protocol (ARP) route poisoning for man-in-the-middle attacks.
• Implementation of externally facing webmail/ActiveSync Secure Sockets Layer (SSL) stripping to the client side.
• Conducting external radio signal propagation mapping to assess the coverage and strength of wireless signals.
• Analysis of internal radio signal propagation to understand wireless signal distribution within the organization.
• Penetration testing of wireless Access Points to evaluate their security posture.
• Assessment of wireless client devices for potential vulnerabilities and security weaknesses.
• Execution of wireless sniffing to intercept and analyze wireless network traffic.
• Examination of wireless network separation mechanisms to identify any potential security gaps.

8. Exploitation

• Vulnerability Exploitation: Actively exploit identified vulnerabilities to assess their real-world impact.
• Privilege Escalation: Evaluate the potential for unauthorized escalation of user privileges within the network.
• Lateral Movement Testing: Assess the ability to move horizontally within the internal network infrastructure.
• Post-Exploitation Assessment: Examine the aftermath of successful exploitation to understand the extent of compromise.
• Pivoting Evaluation: Test the effectiveness of pivoting techniques to access additional network resources.
• Persistence Assessment: Evaluate the ability to maintain unauthorized access over an extended period.
• Security Control Bypass: Attempt to bypass existing security controls to identify weaknesses.
• Data Exfiltration Testing: Assess the risk of unauthorized data removal from the network.
• Incident Response Simulation: Simulate a breach scenario to evaluate the organization’s incident response capabilities.

9. Reporting

• Executive Summary: Provide a concise overview of key findings and recommendations for leadership.
• Vulnerability Prioritization: Clearly rank vulnerabilities based on severity and potential impact.
• Technical Details: Include in-depth technical information on identified vulnerabilities and exploits.
• Mitigation Strategies: Offer practical and actionable recommendations for addressing vulnerabilities.
• Comprehensive Risk Assessment: Present a detailed analysis of the overall risk posture of the network.
• Remediation Roadmap: Outline a step-by-step plan for addressing identified security gaps.
• Evidence and Proof-of-Concept: Include evidence of successful exploits and proofs-of-concept for clarity.
• Policy and Compliance Alignment: Ensure that recommendations align with industry standards and compliance requirements.
• Continuous Improvement Suggestions: Provide insights for ongoing security enhancements beyond immediate fixes.
• Post-Assessment Consultation: Offer a session to discuss the report, address questions, and provide additional guidance.

10. Remediation and Follow-Up

• Prioritizing Remediation: Work with the organization to prioritize and address identified vulnerabilities and weaknesses.
• Patch Management Plan: Develop a comprehensive strategy for timely and effective patching of systems.
• Security Control Enhancement: Strengthen existing security controls to mitigate future risks.
• Employee Training: Provide targeted cybersecurity training for staff to enhance awareness.
• Incident Response Improvement: Enhance incident response procedures based on assessment findings.
• Network Segmentation Refinement: Optimize network segmentation to limit lateral movement opportunities.
• Follow-Up Testing: Conduct follow-up testing to validate the effectiveness of remediation efforts and ensure that identified vulnerabilities have been adequately addressed.

11. Standards Adherence in Network Penetration Testing: Key Principles

Compliance with Industry Standards: Ensure adherence to recognized industry standards such as ISO 27001 or NIST.

Legal and Ethical Guidelines: Conduct testing within legal and ethical boundaries, respecting applicable laws and regulations.

Confidentiality Assurance: Implement measures to protect sensitive information obtained during the testing process.

Scope Definition: Clearly define the scope of testing to align with organizational requirements and objectives.

Authorized Access Only: Ensure that testing activities are performed only on systems and networks covered by the agreement.

Documentation and Reporting Standards: Follow established guidelines for documenting and reporting test findings.

Client Communication Protocol: Establish a secure and confidential communication protocol for sharing sensitive information.

Consent and Notification: Obtain appropriate consent and notify relevant parties before conducting penetration tests.

Data Handling Practices: Adhere to secure data handling practices to prevent unauthorized access or disclosure.

Post-Testing Cleanup: Conduct thorough post-testing cleanup to remove any traces of the testing activity from systems and networks.