Cybersecurity Defense Matrix
What do we mean when we say “basic”? Why would you want authenticated versus unauthenticated testing? Find out below.
Authenticated Manual Testing
Basic Vulnerability Checks
Thorough Automated Vulnerability Checks
Business Logic Flaws
When we discuss application testing, we talk about testing your application as both an authenticated user (working login/password) and as an unauthenticated user. We perform testing from both perspectives to give you a complete idea of your application’s risk. If we were to only perform unauthenticated testing, this would give your organization a false sense of security as many applications have the majority of their functionality available after the user has authenticated/logged in to the app. Additionally, sometimes functionality that is available to authenticated users can be mimicked or reproduced by an unauthenticated user, meaning that vulnerabilities may be leveraged by both authenticated users of the system (insider threat) as well as unauthenticated attackers.
Testing applications for business logic flaws is the process of seeing if the tester can trick the application into performing actions which fall outside the designed functionality. A banking application may allow a user to view their balance, move funds between accounts, open new accounts, or to request a loan. Business logic testing might involve trying to withdraw or send money from an unauthorized account, creating additional users for an account you do not own, or viewing the balance of an account that is not yours.
Attackers often try to steal session tokens because if they successfully steal a user’s session tokens, they may be able to impersonate that user. Because HTTP is a stateless protocol, stealing a user’s session tokens is often enough to be able to perform functions as the compromised user. Because session tokens are of such high importance in a web application, protecting them and ensuring the logic surrounding session management is robust is of the utmost importance.
Using the example of a banking application again, there are often several different types of user functions available, such as banking client, bank teller, bank manager, or IT administrator. Using the most common account type, a banking client, it is very important to ensure that user Bob cannot see user Alice’s banking information. Additionally, it is also important that Bob, a normal banking client, cannot perform functions he isn’t authorized for (bank manager, IT administrator.)
Red Team Assessment
Physical Security Testing
A vulnerability assessment is a security test that uses automated tools in order to quickly identify a large range of known vulnerabilities. In a vulnerability assessment, vulnerabilities are detected, but are not exploited. We take the additional step of manually validating findings wherever possible to ensure that there are minimal false positives included in the results.
A penetration test includes the steps involved in vulnerability testing, but takes it a step further by attempting to exploit vulnerabilities or leverage other weaknesses in a network or application to gain additional access to their environment. In addition to exploiting vulnerabilities, this type of testing may include brute-force testing to identify accounts with weak passwords, as well as privilege escalation, which can allow an attacker with an initial foothold on the network/application to gain access to additional information and/or systems. The goal of this testing is often to gain elevated privileges (domain/enterprise administrator) and/or to gain access to sensitive data/systems on a client network/application.
These terms can apply across multiple types of engagements, but pivoting is the process of using an initial foothold on a network or application (access to a user’s desktop, for example) to attempt to gain access to additional systems/information. Privilege escalation is the act of attempting to leverage a vulnerability or logic flaw in order to gain access to a user/process that has more privileges than what you started with, allowing you to gain access to more privileged information/access than the initial user/process can access.
Red teaming is an adversarial simulation where our engineers simulate real world attacks. From vulnerability exploitation to breaking into a facility to the use of social engineering and/or malware, this is as close to a no-holds-barred assessment as you can get.
This type of assessment can be done in a variety of ways and can be highly modified to achieve the outcomes you are looking for.