Penetration testing is defined as a series of simulated attacks authorized by an organization to test for security holes in its infrastructure. This article explains penetration testing, its different types, methods, and best practices. Show
What Is Penetration Testing?Penetration testing is a series of simulated attacks authorized by an organization to test for security holes in its infrastructure. It is also known as pen testing. Like financial audits and compliance audits, penetration testing is a security audit. They are designed to assess how much the company’s technical infrastructure can withstand in the context of cybercriminal activities. Penetration testing is for any organization with a robust operational system. Specific industries, such as healthcare and finance, handle copious amounts of sensitive data. For this reason, they are regulated to maintain a sound security posture. Companies in these industries need structured pen testing to comply as well. Pen testing is not the same as vulnerability assessment. Vulnerability assessment involves the scanning of the entire system based on existing, known threats. One example is checking if there are zombie servers that can be revived to be connected back to the company’s network. A pen test uses information gleaned from vulnerability assessment to attack the system. The ease and impact of these attacks are documented and presented to the company. Why penetration testing?Most industries are online now thanks to cheap hardware, immense processing power, and cellular networks. This means that the stakes get higher when cybercriminals set out to attack a company’s system. In their 2022 Cybersecurity Almanac, Cisco and Cybersecurity Ventures estimated that the cost of cybercrime will hit $10.5 trillion by 2025. Enterprises are waking up to these costs and damages. IBM and Ponemon Institute state in their 2021 Cost of a Data Breach report that it takes an average of 287 days for security teams to identify and contain a data breach. This is time that companies can no longer afford. When done right, penetration testing can help organizations:
Who does penetration testing?This process is typically done by teams or contractors specializing in ethical hacking. The pen testing team members have compliance certifications, cybersecurity degrees, and niche certifications such as Certified Ethical Hackers (CEH). These teams work with a combination of manual and automated attacks, allowing experts to spot vulnerabilities that automation cannot pick up. Penetration testing as a service (PTaaS) providers offer automated platforms for running pen tests. They provide a dashboard to allow organizations to choose which battery of pen tests to run and when. PTaaS provides an inexpensive option to pen test but compromises on identifying business logic holes. An essential skill of a pen tester is the ability to think like a cybercriminal. Tools used for penetration testingThe tools required for penetration testing vary based on the scope of the activity. At a network level, pen testers use port scanners, web proxies, and network sniffers. Application scanners and vulnerability scanners go through different layers of the system. Password crackers are used to discover weak, compromising passwords. Even phishing emails are used to test employee readiness in dealing with social engineering attacks. These tools keep varying, reflecting the ever-changing landscape of cyber threats. Pen testing experts, along with the company, decide what the scope of the undertaking is and what tools are required for a successful test. Note that success in this context is not about discovering a bug-free platform. Success is zeroing in on the exact nature and location of multiple security issues that may be hidden within the infrastructure. See More: What Is Hacktivism? Meaning, Working, Types, and Examples Types of Penetration TestingPenetration testing can be classified into different types based on the area of focus. More often than not, testers use a combination of these to get a complete picture. The most common types of pen tests are: 1. Network penetration testing
2. Web application testing
3. Physical penetration testing
4. Mobile application testing
5. Cloud penetration testing
6. Social engineering testing
7. Network device testing
8. DevOps testing
9. Interface testing
See More: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention Penetration Testing StagesPenetration testing is a huge undertaking involving the entire infrastructure and numerous stakeholders across the organization. Every pen testing project can be broken down into six stages, according to the Penetration testing execution standard (PTES). PTES is a baseline standard created by a team of security consultants and analysts. Stage 1: ScopingThe first stage of the penetration testing process is to nail down precisely what the scope of the activity will be. Creating a scope requires inputs from three sets of people. High-level executives and stakeholders decide on how much impact the business can take, along with budgeting inputs. Technical and security personnel educate testers on the ‘technical boundaries’ – which assets are to be covered and how they are connected. Penetration testers learn how to leverage this information to develop the best pen test strategies. This stage also encompasses the pre-engagement interactions. Before deciding on the pen testing team, organizations must ensure they’re qualified and can work with their existing infrastructure. The output of this phase is a document that contains:
Stage 2: ReconnaissanceAlso known as ‘intelligence gathering’, this stage involves testers looking for publicly available information. This information, along with the information provided by the organization, provides a starting point for evaluating the organization’s attack surface. The information collected during this stage are:
External footprinting refers to gathering information about the organization from third parties by direct interaction. Internal footprinting relates to data collected from people within the system, like employees. By the end of this stage, testers will have a good idea of the infrastructure and a high-level view of possible vulnerabilities. Stage 3: Vulnerability assessmentArmed with information collected during reconnaissance, testers create a list of assets and services that one can exploit. A threat model is designed with a ranked list of potential threats or an attack tree. This is done by scanning the appropriate components of the system. Active testing involves using tools like app scanners to smoke out vulnerabilities. Passive testing involves network monitoring within the system, waiting for abnormal activity. Vulnerability assessment has two steps – identification and validation. In some cases, especially with black box testing, the testers may have a few threats that turn out to be harmless. These are filtered out during the validation step. Validation is done by mundane things like version mapping and identifying configuration parameters. Assessment is also done at two levels. Dynamic analysis inspects the application while it’s running. This provides a real-time view of the system while highlighting any run-time issues. Static analysis involves examining application code for holes before it starts running. At the end of this stage, testers have a list of potential vulnerabilities, ranked by severity. Stage 4: ExploitationArmed with the vulnerabilities, testers attack the system using a combination of penetration testing types and tools. For example, The Social-Engineer Toolkit is a python-based suite of tools that one can use to set up malicious websites and send out fake emails. Pen testers will use this to test phishing responses among employees. When this stage ends, testers may have succeeded in breaching the system. They have a detailed report on the nature of each discovered threat, the effort required for each attack, and the impact on infrastructure and business. Stage 5: Maintaining accessThe end goal of a pen test doesn’t stop at just entering a system. Hackers now try to maximize impact by staying within the system. Advanced persistent threats give a clearer picture of the infrastructure, allowing for more data and assets to be compromised. This is done by privilege escalation, modified data packets, and modified database queries. Stage 6: ReportingBy this stage, pen testers now have a definite idea of the various threats and risk impacts. Typically, two reports are generated: one for the executive level, outlining the business impact, bottom line impact, and strategic roadmap. The other report provides the tech teams with detailed technical findings, test cases and fault triggers. Both reports also detail incident response reports and current monitoring capabilities. A remediation roadmap is suggested. Apart from reports, penetration testers may also hold a workshop to explain findings. Companies can discuss long, and short-term solutions. See More: What Is Advanced Persistent Threat? Definition, Lifecycle, Identification, and Management Best Practices Penetration Testing MethodsPenetration testing methods are decided at the beginning of the process. The output of the entire exercise heavily relies on who is armed with what sort of information. Three methods of pen testing, based on the scope of the tester’s knowledge, are:
From the organization’s point of view, there are two penetration testing methods:
See More: What Is Vulnerability Management? Definition, Lifecycle, Policy, and Best Practices Top 8 Penetration Testing Best Practices for 2022The following best practices help organizations maximize the benefits of penetration testing. 1. Hire the right peoplePenetration testing requires an eclectic mix of procedure and out-of-the-box thinking. Expertise is needed at the technical and industry level. While creating a team, finding personnel certified with organizations such as CREST would be ideal. The National Cyber Security Center in the UK recommends all government bodies use penetration testers from their CHECK scheme. 2. Prepare for the pen testEstablishing scope and boundaries are just the first step of a pen test. Even before diving into the actual testing, a series of steps need to be taken:
3. Choose the proper pen testing frameworkWhile the different stages of penetration testing are the same at a broader level, it helps to choose a specific framework and stick to it. Other available guidelines, besides PTES, are the Information System Security Assessment Framework (ISSAF), the National Institute of Standards and Technology’s (NIST) security assessment methodology, and the Open Source Security Testing Methodology Manual (OSSTMM). 4. Build attacker profilesThinking like a cybercriminal is crucial to the pen testing process. A structured way of doing this is to create attacker profiles or personas beforehand. One must gather these personas based on the infrastructure, the organization’s public offerings, and the industry. Once collected, they need to be ranked and shortlisted based on motive and business impact. For instance, a cybercriminal looking to infiltrate a bank’s system may resort to phishing. 5. Document a communication planPenetration testing involves a lot of assets and a lot of people. Proper channels of communication need to be maintained. Regular meetings must be held to keep track and exchange findings. Designate one or more employees who are constantly available to the pen testing team in case of any incidents. 6. Include data sources and remotely accessible resourcesA data center is only as secure as its data source. While it may be tempting to focus on just the database, the source of this data needs to be tested for vulnerabilities. Testers can attack interfaces and data transfer channels between these sources and the system. In the case of industries like finance, this is also part of their compliance requirements. Also, remember to add remote endpoints to the technical boundaries. 7. Plan for changing scope and factor in unplanned risksOnce the testing starts, pen testers may discover additional components that were unwittingly left out. Room should be made for such omissions while budgeting for money and time. In such situations, pen testers and employees can either change the scope or exclude these components because of the low-security impact. A documented process must also be in place in case of unplanned incidents or issues. This should be part of the breach of code clause in the SLA. You should add both of these to the communication plan docket. 8. Ensure that a robust monitoring and logging system is in placeThe whole pen testing process causes a lot of upheaval in the system. To best keep track, it is crucial to have a competent monitoring and logging solution in place. See More: What Is Application Security? Definition, Types, Testing, and Best Practices TakeawayPenetration testing works best with mutual understanding and communication between testers and the organization. It is not a one-time process. Depending on industry regulations, it might need to be done monthly or yearly. Choosing a pen testing team must be based on this frequency and the associated costs. It is important to remember that a well-executed pen test will not disrupt daily operations and only benefit the company in the long run. Did this article help you understand penetration testing in detail? Tell us on Facebook, Twitter, and LinkedIn. We’d love to hear from you! MORE ON SECURITY
Can a security security tester make a network impenetrable?As a security tester, you can't make a network impenetrable. An ethical hacker is a person who performs most of the same activities a cracker does, but with the owner or company's permission.
Which of the following terms are used to describe a set of instructions that run in sequence to perform tasks on a computer system?A set of instructions that directs a computer's hardware to perform a task is called a program, or software program.
What security certification did the The International Council of Electronic Commerce Consultants EC Council develop?The Certified Ethical Hacker (CEH) credential is administered by the International Council of Electronic Commerce Consultants (EC-Council), a member-supported certification body for IT and cybersecurity professionals.
What acronym represents the US Department of Justice Branch that addresses computer crime?Computer Crime and Intellectual Property Section (CCIPS) | Department of Justice.
|