In the world of information security, Penetration Testing is the practice of checking and testing the organization’s network, servers, and services for possible loopholes and vulnerabilities that an attacker may exploit.
Penetration testers are called white hats. They perform hacking in ethical ways, without causing any damage to the computer system, thereby increasing the security perimeter of your organization.
WHY IS PENETRATION TESTING NECESSARY?
Penetration Testing is required because it helps you highlight the flaws related to hardware and software system design and operation, and quite importantly, personnel readiness. Early identification helps protect the network. If the vulnerabilities aren’t identified early, then they become an easy intrusion point for the attacker.
HACKING VS PENETRATION TESTING (ETHICAL HACKING)
Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources. It involves modifying a system’s or an application’s features to achieve a goal outside of the creator’s original purpose.
Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities so as to ensure system security. It focuses on simulating techniques used by attackers to verify the existence of exploitable vulnerabilities in system security.
THE BUSINESS CASE
Penetration testing will make sense if you want to achieve the following goals:
- identify the threats facing an organization’s information assets;
- reduce the organization’s IT security costs and provide a better Return On Security Investment (ROI);
- provide the organization with assurance: a thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation;
- gain and maintain certification to an industry regulation;
- adopt best practices by conforming to legal and industry regulations;
- test and validate the efficiency of security protections and controls. May lead to changing or upgrading the existing infrastructure of software, hardware, or network design;
- evaluate the efficiency of network security devices such as firewalls, routers, and web servers;
- focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management;
- provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.
PENETRATION TEST TYPES
Network Services Test: One of the most common types of penetration tests. Involves finding target systems on the corporate network, searching for openings in their base operating systems and available network services, and exploiting them. Some of these tests take place remotely across the Internet, targeting the organization’s perimeter networks. Others are launched locally, from the target’s own business facilities, to assess the security of their internal network or the DMZ from within, seeking the kinds of vulnerabilities an internal user could find.
Web Application Test: Looks for security vulnerabilities in web-based applications and/or programs deployed and installed, operational, and running on target environment and resources.
Wireless Security Test: Involves discovering a target’s physical environment, searching for unauthorized wireless access points, or authorized wireless access points that have security weaknesses or other issues.
Social Engineering Test: Attempts to get a user to reveal sensitive information, such as a password or any other sensitive data. These tests are quite often conducted over the phone, targeting selected help desks, users or employees, evaluating processes, procedures, and user awareness and reaction readiness.
HOW IS IT DONE?
During penetration testing, a pentester analyzes all security measures currently employed by the organization, searching for any design weaknesses, technical flaws, and other critical or predefined by the organization’s decision-makers vulnerabilities. There are three classic ways penetration testing is performed:
- Black Box testing – simulates an attack from someone who is unfamiliar with the system, establishing externally “available” backdoors or other perimeter-breach opportunities.
- Grey Box testing – simulates an attacker that has partial knowledge about the system.
- White Box testing – simulates an attacker that has knowledge about the system.
Once all the tests are conducted, the pen tester prepares a comprehensive report that includes:
- tests conducted;
- test results;
- testing methodology;
- all vulnerabilities found;
- respective countermeasures.
Finally, the pentester delivers the report to the executive, management, technical, and all other authorized audiences.
Besides standard scenarios based on the type of Pentesting (white box, gray box, black box) and territory (network, application, wi-fi, etc.), it is good to engage in developing and implementing scenarios that are most relevant to your environment and in accordance with your specific information risks. For example, the concept can be changed to reflect the possible behavior of a particular type of perpetrator that is important to you, taking into account various starting points:
- Externally located person: has no initial knowledge of your infrastructure. They start by going to the coffee shop next to your office, and commence hacking…
- Your own employee: usually receives standard pre-configured IT tools (laptop, tablet, phone, etc.) and human access – email, corporate portal, etc. Testing can show you how far such person can go with these tools and what possible damage they can inflict.
- Your business partner: has access to your ERP system, service provisioning team, etc. Again, testing will evaluate how much this person can roam around and beyond their authorized access, and what they can inflict.
- Any other starting point that is important to you in relation to your business operations.
For each starting point, your testing vendor should be able to, on your command, apply all types and variations of pentesting.
PROCESS OF PENETRATION TESTING
The course of Penetration testing involves defining the Scope, signing an Agreement, and working on Recommendations.
ESTABLISH SCOPE
Determine which critical systems are to be tested and prepared for mitigation under an attack scenario. The scope can be determined by an external certification or compliance requirement (PCI DSS, for example), or simply by what management has chosen in order to achieve adequate security assessment.
SIGN AGREEMENT
A formal expression of will and agreement to proceed with testing under the determined scope, timing, and method. This is followed by a comprehensive report on the risks facing information systems that provides the necessary insight and guidance to secure operations.
RECEIVE REPORT
In order to proceed to the next step, you should review the report that contains test results and proposed recommendations, filter through risk management mechanisms and follow up with appropriate governance or integration endeavors.