Stages of Penetration Testing According to PTES

What is PTES?

The Penetration Testing Execution Standard, or PTES, is a standard that was developed and continues to be enhanced by a group of information security experts from various industries. PTES provides a minimum baseline for what is required of a penetration test, expanding from initial communication between client and tester to what a report includes.

The goal of PTES is to provide quality guidance that helps raise the bar of quality for penetration testing. The standardization of penetration testing procedures helps organizations better understand the services they are paying for and gives penetration testers accurate direction on what to do during a penetration test.

The 7 Stages of PTES

The standard is organized in sections that define what should be included in a quality penetration test. PTES defines penetration testing in seven phases:

  1. Pre-Engagement Interactions: Penetration testers will prepare and gather the required tools, OS, and software to begin the penetration test. The required tools vary depending on type and scope of engagement but will be defined by a quality penetration tester at the start of any penetration test.
  2. Intelligence Gathering: The organization being tested will provide the penetration tester with general information about in-scope targets, and the tester will gather additional details from publicly accessible sources. This step is especially valuable in network penetration testing.
  3. Threat Modeling: Threat modeling is a process for prioritizing where remediation strategies should be applied to keep a system secure. PTES focuses on business assets, business process, threat communities, and their capabilities as key elements of threat modeling.
  4. Vulnerability Analysis: Penetration testers are expected to identify, validate, and evaluate the security risks posted by vulnerabilities. This analysis of vulnerabilities aims to find flaws in an organization’s systems that could be abused by a malicious individual.
  5. Exploitation: This phase of a penetration test involves the exploitation of identified vulnerabilities in an attempt to breach an organization’s system and its security. Since the vulnerability analysis phase was completed in a quality manner, the next step is to test those entry points into the organization that are weak.
  6. Post-Exploitation: After the testing is complete, the penetration tester must consider the value of the compromised machine and its usefulness in further compromising the network.
  7. Reporting: An executive-level and technical-level report will be delivered covering what was tested, how it was tested, what vulnerabilities were found, and how the penetration tester found those weaknesses. The report should provide your organization with helpful guidance on how to better your information security practices.

The main segments of PTES provide a detailed dive into the purpose and expectations of penetration testing. For many organizations, the ins and outs of penetration testing are confusing. Because of standards such as PTES, you can get a better idea of what to expect when a penetration tester hunts for your organization’s vulnerabilities.

PTES influences the penetration testing methodology of many auditing firms across the industry. It’s through these standards that information security experts can develop a well-working, quality system that detects your greatest vulnerabilities and reports on ways to improve your information security processes.

At KirkpatrickPrice, we understand that keeping your data secure is important to your organization. That’s why our expert team of penetration testers work hard to stay up to date on industry standards, so you can focus on increasing the security of your organization. Contact us for more information on our quality penetration testing.

More Resources

Penetration Testing Steps for a Secure Business

Finding and Mitigating Your Vulnerabilities Through OWASP

What is Wireless Penetration Testing?

Preparing for CCPA: 4 Data Privacy Best Practices to Follow

The California Consumer Privacy Act has been regarded as the United States’ strictest data privacy law of our time, and yet, many organizations still don’t know where to start with their compliance efforts. Does the law even apply to them? How can they ensure compliance? What are the steps they need to take? While no one journey toward CCPA compliance is the same, we’ve rounded up four data privacy best practices that you can follow to help with your CCPA compliance efforts. Let’s take a look at what those are.

4 Data Privacy Best Practices to Help with CCPA Compliance

Between GDPR, PIPEDA, CCPA, and the plethora of other data privacy laws going into effect, there are a few data privacy best practices that organizations can follow. When it comes to preparing for CCPA, we suggest following these four best practices:

1. Create an internal privacy framework

An effective internal privacy framework is the foundation of your organization’s data privacy compliance efforts because it lays out what and how you’ll comply with CCPA. Typically, when an organization creates an effective internal privacy framework, they’ll take the following into consideration:

  • Notices and disclosures
  • Access (internal and external)
  • Breach notification
  • Consent
  • Risk
  • Designated responsibilities
  • Data retention
  • Vendor management

2. Do more with less data

When it comes to complying with any data privacy law, minimizing the data you collect, use, store, and transmit is critical. Why? Because data minimization is typically a regulatory requirement, and it reduces your liability when it comes to protecting personal information. How do you do more with less data? You can start with data mapping, which will allow you to know what you have and what you absolutely need. Performing data mapping exercises can help identify situations where you need less personal information. Consider the following data minimization tactics:

  • When the function you provide could be performed without certain personal information
  • When the personal information is no longer needed
  • When the personal information is only needed from a subset of a population
  • When personal information is only needed for a subset of a population

3. Automate compliance efforts

Automated tools can be helpful for complying with data privacy laws, including CCPA, but should not be an end-all be-all solution. To make compliance efforts easier, though, organizations might consider using privacy compliance automation tools to perform the following tasks:

  • Automate processes for consumers to access, delete, export, copy, or correct their personal information
  • Automate data mapping tools
  • Automate data protection impact assessment processes
  • Automate subscriptions to manage consent and opt-out requests

4. Get specific about your internal and external privacy posture

Data privacy laws are known for being ambiguous, but that does not mean that the privacy policies your organization creates should follow suit. Instead, they should clearly define the types of data you’re collecting, the purposes for collecting the data, how you’ll share the data with third parties, how you’ll retain the data, access rights to the data, and security safeguards you’ll implement to protect the data. For CCPA specifically, privacy policies must also include a “Do Not Sell” button on your website if you sell personal information to third parties. In addition to this, organizations must be sure to explicitly define what types of data will you share, how they share it, what activities they are using the data for, and what kinds of obligations you have to support client or vendor compliance with privacy regulations in your contracts.

Ultimately, the key to preparing for CCPA compliance boils down to these following these four data privacy best practices: start with broad privacy goals instead of focusing on one specific requirement from the law; minimize the data you collect, use, store, and transmit; take advantage of good automation tools, but don’t solely rely on them during your compliance efforts; and make specificity in your privacy policies and contracts a priority. If you’re looking for more guidance on your CCPA compliance efforts, let’s talk about how one of our Information Security Specialists can help.

More CCPA Resources

5 Facts to Know About CCPA

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Best Practices for Configuring Your AWS Perimeter

Could what happened at Capital One happen at your organization? As a business owner, stakeholder, or IT personnel, that’s the unavoidable fear that appears when you hear about the latest data breach. The Capital One data breach is one of the most damaging data breaches of 2019, and we’ll continue to learn about the repercussions for months to come. This data breach impacts 100 million individuals in the United States and 6 million in Canada. The compromised data was from businesses who filled out credit card applications, and Capital One reports that, “The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.” Most importantly – we know that this breach could happen to any organization that’s not educated on how to properly configure your perimeter security groups. Let’s discuss web application firewalls (WAF), Server Side Request Forgery (SSRF) attacks, metadata, and how a misconfiguration could lead to a compromised AWS environment and stolen data.

Security Misconfiguration in AWS

Evidence from the Capital One case confirms that this data breach began with a misconfigured open-source WAF used in AWS. The intruder, Paige Thompson (a former AWS employee), launched a SSRF attack to manipulate the WAF into running commands it should have never been allowed to – including the command to communicate with the metadata service on AWS.

The Justice Department’s complaint outlines three commands that Thompson performed to abuse the misconfiguration and extract the compromised data, which was later found on a GitHub file:

  1. AWS WAF uses IAM service-linked roles, meaning that an IAM role is linked directly to the AWS WAF. The first command that was executed leaked the security credentials for a specific WAF role with elevated privileges that had access to folders in Capital One’s AWS environment.
  2. The second command that was executed, the “List Buckets Command,” used the compromised WAF role to list the names of Capital One’s folders in their S3 bucket. Thompson obtained access to over 700 folders.
  3. The “Sync Command” was the final step in actually extracting the data from these folders and/or buckets because the WAF role that Thompson compromised already had the required permissions to do so.

The bottom line? The WAF role was probably assigned too many permissions to begin with, and that combined with the misconfiguration led to a successful SSRF attack that had detrimental consequences.

In a statement given to KrebsOnSecurity, Amazon argued, “The intrusion was caused by a misconfiguration of a WAF and not the underlying infrastructure or the location of the infrastructure. AWS is constantly delivering services and functionality to anticipate new threats at scale, offering more security capabilities and layers than customers can find anywhere else including within their own datacenters, and when broadly used, properly configured and monitored, offer unmatched security—and the track record for customers over 13+ years in securely using AWS provides unambiguous proof that these layers work.”

Mitigating Risks in AWS and Securing Your Perimeter

How could you mitigate potential risks and misconfigurations facing your AWS environment? Cloud security experts at KirkpatrickPrice challenge you to consider the following:

  • Understand and monitor the configuration of perimeter security systems (including WAFs). They need to be regularly reviewed to ensure that intended rule sets are functioning as designed.
  • Relying on a WAF, though, to catch exploits is no replacement for proper code creation. The WAF just masks poor code development. Mitigation should focus on good application development hygiene and the enforcement of secure coding practices.
  • Penetration testing can yield huge benefits for externally-facing web applications and infrastructure. The scope and rules of engagement for the penetration testing, though, must ensure that the testing will include exploits that are specific and unique to AWS environments.
  • You must protect your internal services. In the Capital One case, the reason the exploit was able to access the information was because of the metadata service. Learn about a proxy for the AWS metadata service here.

How to Strengthen AWS Environments

How do you validate that your AWS environment has been properly configured? How do you determine that your security and privacy practices are effective? How do you protect the metadata service? Who’s responsible for cloud security – you or the cloud provider? We’re afraid that organizations aren’t asking enough questions like these. As more data migrates to AWS, organizations must have processes in place to check their cloud security efforts. Whether that’s through consulting with an AWS Cloud Practitioner or CCSK, something like a SOC 2 audit, or advanced penetration testing, you need a third party’s perspective and expertise to gain assurance.

What consequences would you face if your clients’ data was discovered to be open to the public? We hope you’ll never have to find out. Let’s partner together to ensure that misconfiguration is not your enemy in your cloud environment.

More AWS Resources

AWS’ Letter to Senator Ron Wyden

AWS Shared Responsibility Model

What is Web Application Penetration Testing?

Who Should Perform Your Cloud Audit?

How NIST SP 800-115 Informs Information Security Practices

What is NIST?

The National Institute of Standards and Technology, or NIST, is an organization that is part of the U.S. Department of Commerce and has the goal of being a leader in innovation and technology by providing fair standards and solutions. The core competencies of NIST are measurement science, rigorous traceability, and development and use of standards. These core competencies influence the reliability of the information produced by the organization. As a giant in the industry, NIST has an opportunity to provide quality principles that can be used by organizations to develop secure information security practices and perform security testing.

NIST publishes documents that can be helpful in developing further strategies and methodologies that are used by information security specialists. NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, is one of these documents that is used in planning and designing proper security processes and procedures. When it comes to penetration testing, NIST SP 800-115 is a valuable guide that can be used to influence the methodologies pen testers use when testing for organizational vulnerabilities.

Let’s Talk About NIST SP 800-115

NIST SP 800-115 is an overview on the key elements of security testing. It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. This guidance includes:

  • Security Testing and Examination Overview
    • Policies
    • Roles
    • Methodologies
    • Techniques
  • Review Techniques
    • Documentation Review
    • Log Review
    • Ruleset Review
    • System Configuration Review
    • Network Sniffing
    • File Integrity Checking
  • Target Identification and Analysis Techniques
    • Network Discovery
    • Network Port and Service Identification
    • Vulnerability Scanning
    • Wireless Scanning
  • Target Vulnerability Validation Techniques
    • Password Cracking
    • Penetration Testing
    • Social engineering
  • Security Assessment Planning
    • Developing a Security Assessment Policy
    • Prioritizing and Scheduling Assessments
    • Selecting and Customizing Technical Testing and Examination Techniques
    • Determining Logistics of the Assessment
    • Developing the Assessment Plan
    • Addressing Any Legal Considerations
  • Security Assessment Execution
    • Coordination
    • Assessment
    • Analysis
    • Data Handling
  • Post-Testing Activities
    • Mitigation Recommendations
    • Reporting
    • Remediation

The detailed guidance provides necessary explanations for many major components of security testing. Because of NIST SP 800-115, your organization can trust qualified audit firms to perform security testing that complies with a set of guidelines that is accepted across the industry.

The NIST SP 800-115 guidance is useful in providing structure to information security testing, but it is not meant to be a substitute for proper security procedures and processes. Instead, NIST SP 800-115 should be helpful in testing that your organization’s security controls are as secure as you expect them to be. For that reason, penetration testers gravitate to the principles taught in NIST SP 800-115 when developing their testing, as it gives clear guidance for seeking out vulnerabilities. To learn how you can benefit from penetration testing in your organization, contact KirkpatrickPrice today!

More Resources

Guide to 7 Types of Penetration Tests

What is IoT Penetration Testing?

Penetration Testing Best Practices Webinars

5 Facts to Know About CCPA

What Do You Need to Know About CCPA?

Much like the European Union’s General Data Protection Regulation of 2018, the California Consumer Protection Act is yet another data privacy legislation that organizations must prepare for as they reexamine the way they collect, use, store, transmit, and protect data. But here’s what companies who interact with California consumers and residents must understand: while they may comply with the various other data privacy laws already being enforced, that does not mean they comply with CCPA. In fact, no matter how similar CCPA is with other data privacy laws – there are nuances between those laws to be accounted for. What does this mean for your organization? What do you really need to know about CCPA? Here are the five core components of the law.

1. What Is CCPA?

In June 2018, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). The purpose of CCPA is to give consumers more rights related to their personal data, while also requiring businesses to be more transparent about the way personal data is used and shared. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information. The law will go into effect on January 1, 2020. Please note that the law may be subject to legislative amendments and regulations that the California Attorney General’s Office creates. At the point of publication, the main legal requirements are:

  • Consumer rights to access, deletion, non-discrimination, and opt-out of selling data
  • Privacy disclosure (i.e. Privacy Policy requirements) related to data collection and use and disclosures
  • Vendor contract requirements
  • Implement and maintain reasonable security measures

2. Who Does CCPA Apply To?

Like with GDPR’s data subjects, the law doesn’t apply to only those businesses who are located within the state of California. Instead, the law applies to certain businesses who collect, use, receive or transmit the personal data of California consumers. Specifically, CCPA applies to for-profit businesses that do business in California and that meet any of the criteria:

  • (A) Have annual gross revenues of over $25,000,000
  • (B) Buy, sell, or share the personal information of 50,000+ consumers per year
  • (C) Derive 50% or more of their annual revenues from selling consumers’ personal information

3. Who Enforces CCPA?

The CCPA is far less ambiguous than other data privacy laws when it comes to who is enforcing the law. According to the American Bar Association, “The CCPA is enforceable both by the Attorney General for the State of California and by private litigants. However, the Act contains technical terms regarding when and how a consumer can bring a private action under the statute.”

4. What are the Penalties for Non-Compliance?

The penalties for non-compliance with CCPA depend on the entity issuing the penalty. If consumers pursue a private, class-action lawsuit, statutory damages could be between $1,000 to $3,000 or actual damages, whichever is greater. If the Attorney General issues fines for non-compliance, companies may be liable for paying fines up to $7,500 per violation. Additionally, in the event of a data breach, consumers can recover damages between $100-$750 per consumer per incident.

5. What are the Exemptions to CCPA?

According to AB 371 Section 1798.145, there are six exemptions to complying with CCPA. Complying with the law should not hinder a business’ ability to:

  1. Comply with federal, state, or local laws
  2. Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities
  3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
  4. Exercise or defend legal claims
  5. Collect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information
  6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California

When it comes to complying with CCPA, KirkpatrickPrice’s Director of Regulatory Compliance, Mark Hinely, wants organizations to know that “CCPA has already generated other state laws with similar requirements, so the time spent working on data subject rights processes and privacy policy disclosures right now could save some time in the future if and when other states or the U.S. federal government implements consumer privacy rights.” Whether it’s CCPA, GDPR, PIPEDA, or any of the other data privacy laws enacted throughout the United States and beyond, KirkpatrickPrice wants to partner with you on your compliance journey. Let’s talk about our risk assessment, consulting, or privacy audit services soon!

More CCPA Resources

Best Practices for Data Privacy

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know