What is Penetration Testing?
Penetration testing is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and/or malicious to identify attack vectors, vulnerabilities and control weaknesses. It involves the use of a variety of manual techniques supported by automated tools and looks to exploit known vulnerabilities and uses the expertise of the tester to identify specific weaknesses in an organisation’s security arrangements. Penetration testing is often confused with Vulnerability Assessment.
Support and Guidance
CREST has produced a guide designed to enable organisations to prepare for penetration tests, conduct actual tests in a consistent, competent manner and follow up tests effectively. It provides practical advice on the establishment and management of a penetration testing programme, helping organisations to conduct effective, value-for-money penetration testing as part of a technical security assurance framework. You can download a copy here.
CREST Guide to Penetration Testing
CREST has also developed a suite of maturity assessment tools to help assess the status of a penetration testing programme on the industry standard scale of 1 (least effective) to 5 (most effective). You can read further advice and download a copy of the tool here:
CREST Penetration Testing Maturity Assessment
You will also find a selection of videos covering penetration testing on our YouTube Channel:
-
Life as a pentester | Interview with Rob McElvanney (Associate Director, Deloitte)
CREST spoke to Rob McElvanney (Associate Director, Deloitte) about how his career began, the key thing you need to have to work in penetration testing, and what organisations should look for in a PT provider.
CREST Penetration Testing Focus Group:
https://www.crest-approved.org/crest-penetration-testing-focus-group/index.html
Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/ -
What is it like running a pentest firm? | Interview with Roy Hills (Chairman, Intertek NTA)
We interviewed Roy Hill about his career trajectory from a software engineer to running a pentest firm, the most important skills a pentester needs, and what organisations should look for in a PT Provider.
Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/ -
Life as a pentester | Interview with Phil Lynch (Principal Security Consultant, Nettitude Group)
We interviewed Phil Lynch about his role as Principal Security Consultant, the most important skills a pentester needs, and why he joined the CREST PT Sub-Committee.
Stay up to date with CREST:
https://www.crest-approved.org/
https://twitter.com/crestadvocate
https://www.linkedin.com/company/crest-approved/ -
Bug Bounties: Working Towards a Fairer and Safer Workplace
Bug Bounties – Working Towards a Fairer and Safer Marketplace With rapid growth in the bug bounty marketplace, the CREST Bug Bounties Report explores good and bad practice to establish how to better understand bug bounty programmes and how they fit into the wider technical assurance framework. It also highlights the need to provide advice to buyers of bug bounty services and protect the interests. Download the report at: https://www.crest-approved.org/wp-content/uploads/CREST-Bug-Bounties-2018.pdf -
Penetration Testing: Working with PenTesters: Interview with Nick Bleech, Travis Perkins at CRESTCon
This CREST video is suitable for self-directed CPD. -
Penetration Testing: Hacking an ISP’s home router from the web - Daniel Cater, Context
Daniel talks about how a remote
attacker can compromise an ISP-provided
router using web-based methods only - no
screwdrivers or soldering irons required.
Multiple vulnerabilities are chained together to
compromise the router, leading to subsequent
attacks - such as being able to connect to the
customer’s Wi-Fi, hijack their DNS results, or
read their sensitive files from an attached USB
memory stick.
Daniel Cater is a Lead Security
Consultant at Context Information
Security. Previously a software
developer for an investment bank,
he now prefers trying to break things
rather than make things. He holds the CREST
Certified Tester for Web Applications certificate
(CCT App) and enjoys hunting for bugs in web
applications and web browsers, as well as
doing research into big data, cloud security and
consumer products.
This CREST video is suitable for self-directed CPD. -
Penetration testing: Third party web application vulnerabilities - Saurabh Harit, Spirent
Saurabh Harit, Spirent talks about vulnerabilities that exist in 3rd party web apps at CRESTCon & IISP Congress
This CREST video is suitable for self-directed CPD. -
Penetration Testing: CSRF is dead, long live CSRF! Daniel Tomescu, Associate Manager, KPMG Romania
Recently removed from OWASP Top 10, Cross Site Request Forgery (CSRF) vulnerabilities used to rule the world of web applications. Impressive in simplicity and effectiveness, CSRF was the plague that threatened to extinct multi-tab browsing. However, after years of “vaccination” with CSRF Tokens and other medication, CSRF is
dead. A plague of the past. Right? Well, not really. A few mutations, some unimmunised hosts and a bit of imagination can result in
the rebirth of CSRF into a deadly, ‘beautiful’ vulnerability. The presentation will cover common scenarios which can allow an
attacker to: pivot from the internet to your internal network; jump from one browser to another; uncover your secret internet
identities or unveil your darkest secrets. All the above scenarios, may sound apocalyptic and science-fictional, but can be reproduced because Cross-Site Requests are still fair
game. Long live CSRF!
This CREST video is suitable for self-directed CPD. -
Penetration testing: Understanding the role and benefits - Ian Borthwick & James Hayes
There is growing awareness of the information security threat landscape by organisations around the world, but the key challenge of how to stay up-to-date in order to mitigate the latest threats and exploits remains. Penetration testing provides a key route for enterprises to validate and improve information security programmes by bringing expert knowledge of cyber-attacks into the business in a controlled way. Already a requirement in the financial sector and within many other organisations, BCS, The Chartered Institute for IT, is working with CREST to address the needs of business and IT professionals in understanding the role and benefits of penetration testing, as well as identifying people, process and technology considerations, and common barriers to adoption.
This CREST video is suitable for self-directed CPD. -
SandGrox: Detecting and bypassing sandboxes - Matt Wixey, PwC:
It is a common sight for red teamers to see their carefully-prepared malware beacon back, only to find that it's actually been detonated by a sandbox. Not only does this result in a compromise of the campaign and potentially of the malware, if it ends up being analysed and signatured, but it also usually means the domains used for infection and C2 channels are subsequently blacklisted.
SandGrox is the result of several months of research by the PwC Threat and Vulnerability Management (TVM) team. It is a compilation of over a hundred checks for sandbox technologies - some already known and publicly available, but still sometimes successful and some new. Early testing indicates that SandGrox is able to distinguish between bare metal machines and sandboxes and virtualised environments, with high rates of accuracy.
The emphasis of the SandGrox project is on detecting sandboxes, so that upon detecting a sandboxed environment, malware can immediately terminate and self-destruct, avoiding the problem of having domains and IP addresses blacklisted and reducing the risk of malware being reverse-engineered and signatured by antivirus engines. However, SandGrox also includes several techniques for bypassing sandboxed environments - again, some old and some new. Matt will present some of these techniques, lessons learned whilst doing the research, and outline some suggestions for future work in this area.
Matt is a penetration tester on the Threat and Vulnerability Management (TVM) team at PwC, and leads the team's research capability. Prior to joining PwC, he worked in law enforcement, leading a technical R&D team. His research interests include antivirus technologies, exploit development, and RF security.
This CREST video is suitable for self-directed CPD. -
Operation Cloud Hopper, Jason Smart & Allan Carchrie, PwC's Cyber Threat Detection & Response Team
Want to know how the private & public sector partners uncovered & disrupted one of the largest ever sustained global cyber espionage campaigns? Allan Carchrie & Jason Smart provide their personal accounts of responding to intrusions connected with APT10 and how critical an end-to-end response is when it comes to tackling Advanced Persistent Threats. They will walk through the necessary steps needed to defend your network, focusing on the key elements of detection, response and threat intelligence.
This CREST video is suitable for self-directed CPD. -
Hacking like a Nation State - Tom Bonner, Hewlett Packard Enterprise
Nation state threat actors are known to employ some of the more sophisticated tactics, techniques and procedures (TTPs) for the purpose of gaining and maintaining access to a target organisation, operating surreptitiously and ultimately performing exfiltration of sensitive data. This talk aims to elaborate on some of the more advanced and effective TTPs observed by HPE’s Digital Investigation Services team, and look at how these may be leveraged to enhance red team penetration testing.
This CREST video is suitable for self-directed CPD. -
JavaScript in espionage intrusions - Thomas Lancaster and Chris Doman, PwC:
At CRESTCon 2016: This talk focuses on a series of relatively unknown malware families used by attackers in 2015. Despite being used by a variety of different threat actors, from different regions of the world - these malware families share two things in common - their use of JavaScript and their role in the theft of data for espionage purposes. Whilst the use of JavaScript in terms of malicious redirected and occasionally in malware installation is well documented - there are very few examples of malware written entirely in JavaScript. But as we will discuss in our talk, there are many advantage to writing malware in JavaScript.
Thomas and Chris will explain how they came to identify each malware as being interesting in the first place; the themes of the campaigns run by the threat actors using the malware; the methods by which the attackers initialise the malware, methods by which the malware persists, and some cool tricks used to encode the malware; and the defence mechanisms that can be bypassed by using JavaScript based malware.
This CREST video is suitable for self-directed CPD. -
ZigBee Smart Homes – A hacker’s open house: Tobias Zillner, Cognosec
ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings are based on ZigBee. New IoT devices have often very limited processing and energy resources. Therefore they are not capable of implementing well-known communication standards like Wifi. ZigBee is an open, public available alternative that enables wireless communication for such limited devices.
ZigBee also provides security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?
No, definitely not. This talk will provide an overview about the actual applied security measures in ZigBee, highlight the included weaknesses and show also practical exploitations of actual product vulnerabilities.
This CREST video is suitable for self-directed CPD. -
Push to Hack: Alex Farrant, Context Information Security
Context has identified design flaws and software vulnerabilities in a next generation smart IP camera, which allow an attacker to control the camera remotely behind a NAT router, steal passwords and keys, gain a foothold on your network and redirect the alerts and video to them, all from the click of a link. This particular cloud security device has been demonstrated to be a hidden security risk on a private network and Context believe the vulnerable code is present on other brands of smart IP cameras also.
This CREST video is suitable for self-directed CPD. -
Interview with Justin Clarke, Gotham Digital Security, CRESTCon & IISP Congress
-
An interview with Chris Doman & Thomas Lancaster, PwC at CRESTCon & IISP Congress
-
CRESTCon 2015:James Chappell,Digital Shadows: Threat Intelligence Marketing Hype or Innovation
James Chappell, CTO, Digital Shadows: Threat Intelligence – Marketing Hype or Innovation
Cyber Threat Intelligence has become an increasingly prevalent term in the information security (Cyber) industry with vendors of all shapes and sizes using this buzzword to justify to their customers that this is the right thing to be focusing on. Of course, in talking to a vendor, they’ll say this is a buy-once-solve-everything type purchase. There are a diverse range of technical, analytical and public information products that seem to carry information about ‘bad people doing things’
At the same time attackers, fraudsters and criminals are innovating their capabilities in increasing pace, traditional anti-fraud or security is a zero sum game, with the best situation being that no incidents occur, this is already a losing battle. So if we need this new set of capabilities how should an organisation go about procuring the right thing and how much is actually useful? And how would an organisation decide when they’ve done ‘enough’ of it to be meaningful.
James has over twelve years’ experience of technical information security acting as an advisor to large private sector and government organisations. Much of his work has involved counteracting the growth of crime and fraud in computer networks and developing effective ways of measuring and managing the information security big picture. -
CRESTCon 2015: Dave Hartley, MWR: Fracking with Hybrid Mobile Applications
Dave Hartley, Managing Security Consultant, MWR: Fracking with Hybrid Mobile Applications
The talk provides information on how hybrid applications work (under the hood) on common mobile platforms (e.g. Android, iOS, Windows Phone and Blackberry), presents an overview of the attack surface, highlights weaknesses in commonly deployed defences and discusses how attackers can compromise hybrid applications.
Hybrid mobile applications combine the features of web applications and “native” mobile applications using cross platform languages such as HTML and JavaScript. Hybrid applications are usually developed using application frameworks such as PhoneGap. The frameworks and/or development approach provides an embedded web browser (WebView) that executes the application’s web code (HTML/JavaScript) and provides a “bridge” that allows the web code to access local resources on the device. There are a number of pros and cons to this approach, from both a technical and business perspective. There are a number of security considerations for developers, testers and the business to fully understand before the approach can be utilised and/or the applications assessed.
Dave Hartley is a Principal Security Consultant for MWR InfoSecurity. He is a CHECK and CREST Certified Consultant (Application and Infrastructure) and has been working in the IT Industry since 1998. His experience includes a range of IT Security fields and disciplines. Dave is also a published author (SQL Injection Attacks and Defenses 1st & 2nd editions), Metasploit framework contributor and has presented research at several international respected security conferences such as 44CON, BSides, CRESTCon, Sec-T, ZACon, DeepSec, T2 etc. -
CRESTCon 2015: Steve Elliott, Application Developer, Context: RDP-Replay – The story Behind the Tool
Steve Elliott, Application Developer, Context: RDP-Replay – The story Behind the Tool
It started with a simple question from one of our network intrusion analysts: “I have a PCAP of RDP. Steve, what can you get out of it?” This talk will explain where this question led, including the discovery of a mature APT (Advanced Persistent Threat). This in turn led to detection of other compromised computers in the enterprise, the discovery and processing of the C2 (Command and Control), through to eventual remediation. This presentation will look at RDP as a protocol, its variants, how to process it, what is involved in dealing with the encryption, and show what is in the encrypted data. The presentation will also take a look at some of the tools and techniques used by the threat actor, how they work, and the processing of their comms.
Although Steve graduated as a mathematician, he has been involved in programming and networks all his career. He was a pen tester in CESG when the initial CHECK scheme was set up, but foolishly left without passing the assault course he helped to organise! For the last 3 years he has been at Context, working on bespoke data processing, binary and network analysis, and threat detection. -
Intelligence led Penetration Testing: Cam Buchanan & Adrian Nish, BAE Applied Intelligence
Cam Buchannan, Principal Consultant & Adrian Nish, Head of Cyber Threat Intelligence BAE Applied Intelligence: Intelligence led Penetration Testing - applying attack tradecraft and tools
As cyber-attacks become have become sophisticated and prevalent, it is key that penetration testing evolves accordingly to continue to add value to the organisations that use it as a key security control. Utilising threat intelligence and OSINT as the scoping tools to make a penetration test bespoke, relevant and realistic to our clients is something that BAE Systems is currently focussing on. Part of our approach involves collecting, repurposing and mimicking real attack toolkits and techniques that are attributed to threat actors that we have collected through our Threat intelligence and incident response work.
The focus of this presentation is how to use both general threat intelligence and recovered attack toolkits to define and deliver this type of highly focussed testing. It will use references to examples of tool repositories we have access to, malware we have reverse engineered and tools we have written to replicate real attacks.
The audience should leave the presentation with an understanding of the process of turning a threat intelligence report into a set of actionable tests, that emulate the behaviour of distinct attack groups and tools and how they might apply this to future STAR and intelligence led penetration testing assignments.
Cam Buchanan is a penetration tester from BAE Systems with three years of experience in ethical hacking. His book “Kali Linux CTF Blueprints” was recently published and he is currently working on his second. His experience stretches across all sectors and he specialises in the scoping and delivery of Mobile, Red Team and Web Application penetration tests.
Adrian Nish is an Associate Fellow at RUSI and subject matter expert on cyber security. With experience both in investigating the technical components of attacks, as well as their socio-political drivers, Adrian regularly advises both businesses and governments on cyber issues. Adrian is the Cyber Threat Intelligence team lead at BAE Systems and holds a PhD in Physics from the University of Oxford.
This CREST video is suitable for self-directed CPD. -
A day in the life of Daniel Reece, Intern, Nettitude
Daniel talks about his internship at Nettitude -
A day in the life of Adrian Winckles, OWASP & Anglia Ruskin University
Adrian Winckles, OWASP & Anglia Ruskin University talks about OWASP, InfoSec courses available - such as digital forensics - and provides advice to people who want to join the industry -
Matthew Gough, CHECK Team Leader, Nettitude talks about his role
A day in the working life of Matthew Gough, CHECK Team Leader, Nettitude. Mathew talks about his role and provides advice for people who would like to progress in the industry -
A day in the life of Thomas Bartlett & Ben Jamieson, penetration testers at HP
Thomas and Ben, penetration testers at HP talk about the best and worst of the job and provide advice for people who want to enter the industry. -
A day in the life of Andy Hornegold, Security Consultant at Context Information Security
Andy Hornegold, Security Consultant at Context Information Security talks about a typical working day and gives advice for anyone who wants to get into the technical security industry -
Alex Chapman, Senior Assurance Consultant and Researcher at Context talks about his working life
A day in the life of Alex Chapman, Senior Assurance Consultant and Researcher at Context Information Security. Alex covers a typical working day, the best parts of his jobs and how to get into the industry -
Paul Pratley, Verizon talks about his presentation at CRESTCon & IISP Congress 2014
Paul Pratley, Verizon, talks about his presentation at CRESTCon & IISP Congress - The world of cyber crime and espionage -
Fuzzing the easy way, using Zulu - Andy Davis, NCC Group
Andy Davis, NCC Group, talks about his presentation at CRESTCon & IISP Congress: Fuzzing the easy way, using Zulu -
Cyber security careers: A day in the life of Tim Varkalis, penetration tester at PWC
Tim Varkalis, penetration tester at PWC talks about a day in his working life and provides advice for getting into the industry -
Robin Fewster, Selex ES, talks about his presentation at CRESTCon & IISP Congress interview
Robin Fewster, Selex ES talks about his presentation- A 360 degree view on penetration testing - at CRESTCon & IISP Congress 2014 -
Rowland Johnson, CEO, Nettitude talks about careers in the information security industry
Rowland Johnson, CEO, Nettitude talks about his typical working day and gives advice to people who want a career in the information security industry -
Information Security career advice from Ian Whiting, CEO, Titania
Ian Whiting, CEO, Titania talks about a typical day in his working life and gives his advice on a career in Information Security -
Simon Clow, Context: Exploiting hardware management subsystems
Simon Clow, Context Information Security talks about his presentation at CRESTCon & IISP Congress 2014: Exploiting hardware management subsystems (aka "iLO iLO, it's off to work we go!") -
Adrian Davis, ISC2, talks about the evolution of threats
Adrian Davis, ISC2, talks about his presentation at CRESTCon & IISP Congress 2014: What does tomorrow look like? The evolution of threats. -
A day in the life of Daniel Cannon, security consultant at IRM
Daniel Cannon, security consultant talks about his role at IRM, working as a team and what a typical day at work is like. -
Dylan Botha, technical consultant at IRM talks about his job and how he got into the industry
Dylan Botha, technical consultant at IRM talks about how and why he got into the technical security industry -
CRESTCon 2013 - Andy at MWR talks about being a penetration tester
Andy describes what it's like to be a pen tester -
A day in the life of a penetration tester - Chris Oakley, Nettitude
Chris from Nettitude tells us how he became a pentester, discusses the highs and lows of the job and gives his advice to people thinking of getting into the industry -
Sarah, SensePost, talks about ethical hacking and what her day involves
Sarah from SensePost explains how she got started in ethical hacking -
Rodrigo, SecForce talks about getting into penetration testing
Rodrigo from SecForce tells us how he became a pen tester and what drew him to the industry -
Owen Wright, Context, talks about life as a penetration tester
Owen from Context explains how he got into the information security industry and what a day in his working life is like -
Jonathan Bush, PwC, talks at CRESTCon 2013 about how he got into penetration testing
Jonathan from PwC gives us his account of how he got into pentesting -
Building capacity to meet today's cyber threats: Chris Ensor, NCSC
Chris Ensor, NCSC talks about his presentation at CRESTCon & IISP Congress 2013 - 'Building capacity to meet today's cyberthreat' -
Kevin O'Reilly, Context - A cloud of bugs
Kevin O'Reilly from Context talks about his presentation at CRESTCon & IISP Congress that covered some of the more interesting security bugs that have been found in the Cloud and the new techniques that have to be used to perform these types of assessments. -
Jason Creasey, Jerakano - Penetration Testing, Procurement
Jason Creasey talks about the CREST guide to the procurement of penetration testing services -
Rodeigo Marcos SecForce
-
Jim Hardesty HP
-
Dave Hartley, MWR InfoSecurity
"SAP Slapping -- a pentesters' guide" - Dave considers what makes SAP systems vulnerable to attacks and how to best protect exposed areas. -
Matt Bartoldous, Gotham Digital Science
"Are Agile and Secure Development Mutually Exclusive?" - Agile development methodologies are being increasingly adopted by organisations that believe they can bring more speed and flexibility to teams when delivering projects. But if not performed correctly Agile methods can come across as a mask for: 'do as fast as you can with a vague plan and little documentation'. Matt looks into the fundamental concepts of Agile security practices and Agile Project Management and ask whether these concepts can be applied to the information security world.