What is Penetration Testing? A simple Guide
Penetration testing or Pen testing as it is commonly known, is a simulated attack against your infrastructure and systems to check for vulnerabilities that may be exploited by Cyber Attackers. The NCSC describes penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”
Penetration testing should be a continuous process performed at least once per annum, covering both applications and infrastructure. The Penetration tests should be seen as verification or an audit of the effectiveness of the security controls and vulnerability management processes that are in use. Penetration tests should be viewed as a tool to support existing security infrastructure within an organisation, rather than a primary vulnerability detection mechanism in its own right.
Penetration tests can simulate attacks targeting any systems or components such as Application programming Interfaces (API), Web-Servers, Database Servers, Middleware Servers and network components such as routers, switches and firewalls with the intention of uncovering vulnerabilities.
The results of a pen test should be used to identify weaknesses in the organisations vulnerability management processes and procedures and to patch or deploy fixes for any vulnerabilities that are identified.
For some organisations, rather than good practice, regular penetration testing is a requirement to satisfy some of the criteria of standards such as PCI-DSS.
The Stages of Penetration Testing
The penetration testing process can be broken down into the following seven stages:
A penetration test will always begin with information gathering. The organisation being tested will provide general information about the applications and targets which are part of the testing scope. The scope and goals of the test will be defined along with the testing methods which are going to be used.
The reconnaissance stage involves gathering intelligence about the in-scope targets to better understand how it works and to determine any potential vulnerabilities to test. During the reconnaissance stage the penetration tester will try and discover items that have been missed or are not understood during the information gathering stage and to try and determine technologies and the topology of the target system. The type of information discovered during this phase will be details of the network(s), mail servers and details such as domain names. For purely Web and Application Penetration tests the reconnaissance phase may be omitted.
The scanning stage is to understand how the target application will respond to various intrusion attempts and to determine details such as the ports and services that were available on the targeted hosts. The scanning may be conducted in a number of ways such as:
- Static code analysis – Inspecting an application’s code to estimate the way it will behave when running
- Dynamic analysis – This is a more practical way of scanning, as it analyses the code when it is executing thus providing a real-time view into an application’s behaviour
A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested.
After interpreting the results from the reconnaissance, scanning and vulnerability assessment stages; a penetration tester will use techniques such as cross-site scripting, SQL injection, human intuition, and their experience to validate, attack, and exploit those vulnerabilities typically by escalating privileges, stealing data, intercepting traffic to understand and demonstrate the damage they can cause.
Final Analysis and Reporting
Once a penetration test scope has been completed the finding will normally be delivered in the form of a detailed report.
The report is an extensive document which will include a recap of the scope of the testing, the testing methodologies, details of finding and recommended corrective actions. The findings could include assessments of adherence to any applicable application frameworks along with details of the specific vulnerabilities that were discovered and exploited, examples of sensitive data that was accessed and if applicable whether the exploits triggered any monitoring systems.
Penetration Test Review
The final stage of the process is a meeting to review the findings as documented in the report. This can be seen as the most important stage within the process. During the meeting the ranking of the vulnerabilities will be discussed along with the potential impact and any recommendations for remediation. The recipient organisation should use this review to determine modifications to processes and procedures going forward and to make informed decisions about the software development life-cycle and vulnerability management processes going forward.
Penetration Testing methods
There are various types and methods of penetration tests some of these are outlined below:
External Penetration Tests
With external penetration tests the in-scope targets of the test are assets of an organisation that are accessible from the public internet. For example, these may be Web Servers, Corporate Website and Email Servers. The aim of the test is to determine the effectiveness of the processes in controls that are applied to deploying and maintaining these external facing assets.
Internal Penetration Tests
An internal penetration test has in-scope targets that are within the security perimeter of an organisation. The intention of an internal test is to mimic an attack that would be conducted by a malicious insider. This could indeed be an employee gone rogue or more likely a bad actor utilising genuine credentials stolen due to a phishing attack or some form of social engineering.
Blind and Double-blind Penetration Testing
In a blind test, the penetration tester only has details of the organisation that is the in-scope target. The IT Security team have knowledge of the testing and this allows them to view the test in real-time monitoring how the systems and controls behave during the testing. In a double-blind test the IT security team have no knowledge of the planned testing and it effectively a real world simulation of an attack with the team have to react and respond to the incident accordingly.
Targeted Penetration Testing
Targeted penetration testing is a joint exercise where the penetration tester and the IT Security team work together step by step during the test. This is effective in providing a real-time, step by step view of a hacker in action. Allowing the IT security team a window into a “hackers” mind whilst also observing how systems and monitoring platforms behave during an attack.
Need Penetration Testing Services?
KT Secure has an extensive track record delivering vulnerability assessments and penetration testing for leading global companies. We have the depth of experience and dedication you need to defend your business from determined hackers and organised criminals. Look here for more information about Offensive Security service offerings including vulnerability assessment and penetration testing.