Introduction
|
|
Penetration testing (aka pen testing) uses human experts and testing tools to locate and exploit security vulnerabilities so that they can be fixed. The process finds flaws that allow the tester to break into systems. An organization can use the test results to patch the holes and secure itself against costly breaches and data leaks.
Penetration testing is a formal engagement for testing and ensuring system security before cybercriminals use vulnerabilities to breach systems and steal or damage company or customer data. Breaches and data leaks risk a company’s intellectual property, customer data, and business reputation. Cyber incidents can lead to lost business, lost funds, paying ransoms for data, and industry and regulatory fines and penalties. Hiring a security vendor to investigate and repair the damage after the breach costs more than engaging the vendor to enhance security before the attack. Experts advise that organizations use the tests at least annually to keep up with new vulnerabilities.
Who Conducts Penetration Tests?
Organizations engage qualified pen testers with extensive knowledge of IT, application security, network security, and software programming languages. Pen testers use scripting languages to create scripts to run approved attacks on systems within certain boundaries designed not to harm the systems during the test. They use their knowledge of software code to examine software for security bugs. A professional penetration tester, or pen tester, performs the penetration test at an organization’s request. The pen tester must not harm the systems while performing the test. They must provide evidence of the vulnerabilities and how they penetrated them.
Using the pen testing results, the organization can patch systems and mitigate flaws. The pen tester then checks to see that the organization has fixed the vulnerabilities by attempting to penetrate the system again.
External Vs. Internal Penetration
There are distinct types of pen tests. External penetration testing starts with the pen tester having no special access or permissions on the systems under test. Starting from the same vantage point as a criminal hacker, the tester attempts to enter the perimeter, internet-facing applications, and vulnerable systems inside the organization that they can reach from the outside.
The test can include attacks on vulnerable Remote Desktop Protocol (RDP) connections, for example, intended for contractors needing external network access to do their work. The pen tester may test endpoint devices, such as smartphones and user computers on a network, as these are likely entry points to unauthorized access.
An internal pen test is a vulnerability test of the internal networks and infrastructure of the organization. The test determines how far an attacker can take their access once they get inside the network. The test determines whether long dwell times are possible where the attacker can maintain a presence inside the network, and the company doesn’t know they’re there for extended periods.
The test determines whether they can move laterally across the internal networks and infrastructure from one set of network assets, such as customer databases, to others containing intellectual property. It would reveal the capabilities of an insider threat using existing vulnerabilities, including too many access rights and permissions.
Penetration Testing Vs. Vulnerability Assessment
Unlike penetration testing engagements, vulnerability testing is often automated using network vulnerability scanning software. Vulnerability tests let organizations know that weaknesses exist. Penetration tests confirm that attackers can leverage the vulnerabilities maliciously to gain additional access and exfiltrate data.
White, Black, and Gray | How Penetration Testing is Accomplished
Many types of penetration testing can help an organization maintain good security hygiene and a strong security posture. The customer may request any or a combination of these penetration tests.
White Box Testing
With white box testing, the pen tester has complete visibility into the network and systems under test. White box testing enables the tester to include all the software code in the testing since nothing is hidden from their view. White box testing is desirable for automated testing, which development environments often use. White box testing enables frequent, automated testing of software under development to keep it secure throughout the development lifecycle.
Black Box Testing
Black box testing keeps the penetration tester in the blind. The tester knows nothing of the system or software. They must test from an attacker’s viewpoint, engaging in reconnaissance, intelligence gathering, and gaining initial network access without prior inside knowledge. The tester must launch an attack and exploit the system with the tools they bring with them. Black box testing is the most challenging yet most extensive test.
Grey Box Testing
Grey box testing gives the pen tester a limited view into the systems and software. The test design serves to determine how much additional access a privileged user could acquire and what they could do with it. Grey box testing can help to determine whether an insider could elevate their privileges to launch an internal attack or cooperate with an external attacker.
Penetration Testing Stages
There are five stages in a pen test, particularly where the tester has no prior knowledge of the systems under test. They are reconnaissance, scanning, exploitation, planting a backdoor, and anti-tracking.
The first stage is reconnaissance — intelligence gathering about the system under test. Like its military counterpart, the term reconnaissance in pen testing means the tester must venture out onto the network and detect open ports, network addresses, and log-in pages that are useful in an attack. By mapping the network and its assets, the tester can decide what exploits to use in the test.
A tester then scans the network, looking for vulnerabilities. A good pen tester can see zero-day vulnerabilities. Zero-day means the vendor has had zero days to patch the system since its discovery. Criminal hackers can continue to exploit the vulnerability until the patch comes out.
The tester chooses exploits, including malware, to exploit the system. They leave a backdoor in the network to keep it open for future attacks. Finally, the pen tester prevents detection by removing security logs and erasing indicators of compromise.
What Can Organizations Do With the Output from a Penetration Test?
An organization can learn vulnerabilities from the tester’s final report and make a plan to remediate the vulnerabilities. The pen tester then retests the flaws to confirm that all vulnerabilities are closed. Pen tests benefit businesses by mitigating risks. Organizations can test and repair top vulnerabilities, such as broken access controls. The enterprise gains awareness of its security posture through pen testing. It can bring security to the attack surface and keep it aligned with the organization’s desired posture. Organizations can also use pen tests to ensure compliance with industry and regulatory mandates. By testing for vulnerabilities, the business can patch and use controls to achieve and maintain compliance.
The business benefits from pen testing reports by first seeing and closing high-risk vulnerabilities. Reports can appear as proof of compliance with audits. Security analysts can use the report to refocus their efforts on vulnerabilities that lead to compliance audit failures.
The business should define the scope of the pen test, including areas to test, areas to avoid, and the kinds of vulnerabilities to identify. By targeting high-risk systems, software, and configurations, the organization can find and fix priority vulnerabilities while staying on budget.
Types of Penetration Testing
Network Service Penetration Testing
Network service penetration identifies a network’s most critical vulnerabilities and weaknesses. The testing includes internal and external tests. It tests network components. It also tests endpoints and the periphery of the network.
Network infrastructure devices include:
- Firewalls
- Switches
- Routers
The test lets companies patch weaknesses and defend against common network-based attacks, such as Distributed Denial of Service (DDoS) attacks.
Web Application Penetration Testing
Web application pen testing finds vulnerabilities in web-based applications and browsers. Attacks on applications through vulnerable browsers are common, like bots attacking JavaScript on e-commerce pages.
Web application testing benefits organizations by accelerating the remediation of gaps in web application security. Pen testing and patching make web applications more resilient. Secure web apps maintain business continuity, such as when user productivity continues unabated because breaches and disruptions are minimized. Pen testing web apps identifies in-browser vulnerabilities in JavaScript so security teams can harden apps against browser flaws.
Physical Penetration Testing
Physical penetration testing involves a simulated attack on an organization’s premises. Physical penetration testing measures the physical security that protects restricted areas. It tests the physical security controls that keep an attacker from gaining unauthorized access. Physical penetration testing uses social engineering, like impersonating technical support or other employees to gain access without proper authorization or credentials.
Social Engineering Penetration Testing
Social engineering penetration testers prey on the trust employees place in people. Testers may con employees with an excuse to get them to release sensitive data or give the tester access to systems and software.
Cloud Penetration Testing
Although cloud providers secure their offerings, the customer is responsible for protecting their data and applications in the cloud. Cloud penetration testing includes brute force testing of internet-facing credentials that a customer might not think to update. But it’s the responsibility of the customer to do it.
IoT Penetration Testing
IoT pen testing examines a customer’s complete inventory of IoT devices for typical vulnerabilities such as weak or default credentials, legacy communications protocols, and a lack of security patches. Pen testers may engage in wireless security testing to look for weak protocols. They may check known vulnerabilities for patches and try to gain unauthorized access.
Advantages of Penetration Testing
Penetration Testing secures the organization against cyberattacks, data leaks, and noncompliance with the many industry and regulatory requirements. Organizations are subject to audits and compliance with many national and international regulations, including the GDPR, ISO 27001, and PCI DSS. Other regulations include HIPAA/HITRUST.
The business wants to maintain consumer trust. Reliable technologies that don’t suffer breaches tend to retain customers, while breaches tend to drive them away. Penetration tests support business continuity as there are fewer surprises with downtime from breaches and breach investigations that take human capital away from core duties.
FAQ
What is the difference between a vulnerability scan and penetration testing?
A vulnerability scan automatically scans the network, network ports, and IP addresses for vulnerabilities. Penetration testing uses manual scans and other methods to discover vulnerabilities and exploit them.
How does penetration testing differ from ethical hacking?
Penetration testers penetrate areas the customer defines with an approved range of exploits, looking for specific vulnerabilities. Penetration testers test the organizational security policies, develop countermeasures, and implement defensive resolutions to security issues.
How does pen testing differ from automated testing?
Pen testing is a guided manual effort by a proactive professional who recognizes interesting areas to investigate further for vulnerabilities and how to breach those. An automated test does not veer from a set list of tasks for the test.
Conclusion
A pen test is an essential component of maintaining security and compliance. Penetration testing evaluates the organization’s attack surface for high-risk vulnerabilities in critical applications. The business can use pen test reports to fix priority vulnerabilities, mitigate security risks, and prepare for compliance audits.