Attacker doesn't always have to be from outside. In a research, IBM found that 60% of all attacks originate from inside the organization. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. These attacks are more prominent in NBFCs and Large corporations.
Grey box testing includes testing of internal applications and networks and understanding breach possibilities from the point of view of a regular employee. A standard employee account is created to test if the attacker can further penetrate the network or exfil sensitive information.
As part of the Grey Box Testing, the following minimum components are covered.
- Application Security Testing
- Network Security testing
- Infrastructure implementation Testing
- BYOD/Endpoint Security Testing ( WFH scenario)
1. Description of Services
1.1 Internal Application / Network Security Testing
- Internal Applications / Network can be tested for vulnerabilities that may allow employees to obtain higher privileges or access to sensitive information.
- OWASP Specific pentest procedures will be applied where any non-generic ( In-house developed ) web application is developed and for those which cannot be covered under standard PTES Framework.
- Objective of the VAPT is to assist the customer to discover any vulnerabilities that could otherwise potentially disrupt the service or use it for delivering malicious information further. Since the internal applications and services are in continuous development phase, these tests will assist in finding all loopholes and fixing them before it is released for public / internal consumption.
1.2 Infrastructure Implementation Testing
There would be multiple solutions deployed to support day-to-day activities of the organization, some of them include
- Mail Service : Major communication channel for an organization
- VPN Service : BYOD and employee secure communication to internal assets of the organization.
- Internal Service Portals : GAM, HR, Sharepoint, SAP etc.
Such solutions will be tested for security loopholes and the issues & recommendations will be reported.
1.3 Email Security
Following are the minimum checks that will be performed as part of the assessment.
- SPF Configuration
- DKIM Configuration
- DMARC Configuration
- User Password Security
- Password Spray attacks
- Spam Filter
- Malicious Links / File Security
- Open Relay
- Throttling Policy
- Local Email Domain
- Attachment Restrictions
- Log Visibility and History
- Email Encryption
- Email Security Training against Spear Phishing
1.4 VPN Security / Firewall Audit
- Scanning VPN Gateway.
- Sniffing attacks
- VPN Session Hijacking
- PSK mode assessment and PSK sniffing.
- Offline PSK cracking.
- Checking for default user accounts.
- Testing the VPN gateway for vendor specific vulnerabilities.
1.5 BYOD / Endpoint Security Testing
- In recent scenarios such as covid-19, WFH has been the go to method for almost all of the employees of any organization that is dependent on computers to run their business.
- WFH poses multiple security threats as the endpoint is exposed to all kinds of external threats. It also becomes quite easy for internal attackers to take advantage of such situations and cause great damage to the organization.
- Testing includes our team posing as one of the organization employee and conduct exercises to exploit internal networks.