In essence, penetration testing seeks to answer:
- How would an attack overcome my security program
- How would they gain access to my and my customer's sensitive data
It views your network, application, device and physical security through the eyes of a malicious actor and an experienced security team to uncover weaknesses and identify how your security posture could be improved.
Pen testers launch authorised cyber attacks designed to gain access to sensitive information, simulating what a real world attack would target, how your security controls would fare and the magnitude of a potential data breach.
What is involved in a penetration test?
Typically a target system is identified and a particular goal is defined, e.g. to gain access to PII and PHI that would result in a notifiable data breach.
Pen testers then review available information and use various methods to try and meet their goal. For example they may employ SQL injections, phishing and other social engineering attacks, cross-site scripting or exploit vulnerabilities.
Once the penetration test is completed, the security experts provide a security assessment to the owners of the target. The assessment generally outlines the potential impact and countermeasures designed to reduce cyber security risk.
What is the goal of a penetration test?
The goal of a penetration test will depend on the type of approved activity and your compliance requirements. Penetration testing can help organizations:
- Determine the feasibility of particular attack vectors
- Identify high-risk vulnerabilities resulting from lower-risk vulnerabilities exploited in a particular fashion
- Highlight vulnerabilities that go undetected in automated network or application vulnerability scanning software
- Assess the potential business, operational and regulatory impact of successful cyber attacks
- Test network defence and your organisation's ability to successfully detect, respond and stop an attack
- Provide context to support increased investment in information security policies, procedures, personnel or technology
- Meet compliance requirements
- Validate the implementation of new security controls put in place to thwart similar attacks
In the end, the standard goal is to find security issues that could be exploited by an attacker and then sharing this information, alongside relevant mitigation strategies with the target.
While penetration testing can help identify weaknesses in network security, information security, application security and data security, it is only one part of a full security audit.
What are the six stages of penetration testing?
Penetration testing can be broken down into six stages:
- Reconnaissance: Gathering information on the target to be used to better attack the target. For example, using google hacking to find data that can be used in a social engineering attack.
- Scanning: Using technical tools to gain further knowledge of the target's externally facing assets, e.g. using Nmap to scan for open ports.
- Gaining access: Using the data gathered in the reconnaissance and scanning phases, the pen tester can deliver a payload to exploit the target. For example, Metasploit can be used to automate attacks on known vulnerabilities like those listed on CVE.
- Maintaining access: After gaining access, the pen tester may take steps to gain persistent access to the target in order to extract as much data as possible.
- Covering tracks: The final step is to clear any trace of their access by deleting audit trails, log events, etc.
- Reporting: Outlines the findings, providing a vulnerability assessment with suggested remediation steps.
Note that this process can be repeated as the pen tester finds new security issues.
Who provides penetration testing services?
Penetration testing services are generally provided by an outside consultant or internal red team with little-to-no prior knowledge of how the target is secured. This allows them to expose possible blind posts that are missed by the internal security team.
What are the types of penetration tests?
- White box pen test: Ethical hackers are provided with background and system information, such as employee emails, operating systems, security policies or source code. This type of security testing could be said to mimic insider threats.
- Black box pen test: Security professionals are provided basic or no information beyond the target's name. This means the pen testers only have access to information they can gather through vulnerability scanning, OPSEC failures, social engineering and external security posture analysis. This mimics outside attackers attempting to gain access to your organisation.
- Grey box pen test: A combination of a white box and black box test, where limited knowledge of the target is shared with the pen tester. This type of security testing can help determine which systems are vulnerable to attackers who are able to gain initial access to your internal network.
- Covert/double-blind pen test: Describes a situation where very few people know a pen test is happening, including the IT and security teams who will be responding to the attack.
- External pen test: This is when an ethical hacker targets a company's external-facing technology, such as their website and external network servers. These types of pen tests are generally conducted from a remote location.
- Internal pen test: This test is performed from within the company's internal network and is useful to determine how much damage could be done by an insider from within the company's firewall.
- Targeted pen test: Penetration tester and security team work together, informing each other of steps taken to attack the target and to defend the attack. This serves as a training exercise that provides real-time feedback.
Why is penetration testing important?
Penetration testing is important because it helps determine how well your organisation is meeting its security objectives.
The purpose of these simulated attacks are to identify weakness in your security controls which attackers could take advantage of.
Penetration testing, and cyber security more generally, is becoming more important as we become more reliant on technology to process sensitive information.
As part of a cyber security program, penetration testing help you improve the quality of your security controls. It can also help reduce the cost and frequency of downtime, improve mean-time-to-repair (MTTR), protect brand reputation, maintain customer trust, avoid litigation and ensure regulatory compliance.
Why penetration testing is not enough
Security professionals disagree about the importance of penetration testing. Some believe it is the most important thing, others believe it's a waste of time.
As with most security practices, the truth is somewhere in between and its efficacy depends on application and scope.
Pen testing alone is never enough to prevent data breaches but the information gained from it can play a critical role in bolstering your organisation's security controls.
While there are numerous frameworks that outline a pen testing process, it remains a broad term that encompasses a slew of different activities designed to identify weaknesses in your cyber security.
This could entail the use of specialised security tools such as Kali Linux or Backbox and Metasploit or Nmap to discover and exploit vulnerabilities, carrying out social engineering attacks to test physical controls or employing ethical hackers to simulate cyber attacks.
In the end the goal is the same: to improve your security posture and reduce cyber security risk.
Even the most thoroughly tested applications and infrastructure can fall victim to data breaches or data leaks. That is the disheartening truth of cyber security – sometimes attackers are one step ahead of your security team.
Furthermore, even the best pen testers can only work with the knowledge and tools at their disposal.
In the case of zero-day exploits, like EternalBlue that led to the WannaCry ransomware worm, the best you can do is respond quickly. Pair this with the fact that third-party vendors are handling more and more sensitive information, and it's not hard to understand that while pen testing is important, it can't be the only thing you do.
To have a lasting impact on the organisation, pen testing must be integrated with real-time continuous security monitoring of first, third and fourth-parties.
These tools can automatically detect known vulnerabilities, help mitigate high-risk vulnerabilities, provide ongoing vendor risk assessments and help you scale your vendor risk management efforts.