Penetration testing also known as pentesting is a systematic process of security testing or probing that uncovers vulnerabilities, threats and risks in a network, web or software application. This controlled form of hacking finds legitimate weaknesses of vulnerabilities that could be exploited by hackers. Vulnerability is defined as the risk that an attacker can cause disruption or gain unauthorized access to the system or network. Usually such vulnerabilities include configuration and design errors and bugs introduced accidentally during development.
Why test?
- Stay ahead of security – especially important to safeguard data in the case of banks and financial institutions
- Threat monitoring – useful after a system has already been hacked and the organization wants to see if the threat remains that could cause future hacks
- Proactive approach – testing regularly is the best defense against hackers
- Nobody is immune – cyber attacks can happen to anyone
- Stay in business – not protecting systems puts them at risk of attacks that can disrupt business, causing reputational damage
- Legal compliance – not being vigilant can be costly and incur hefty fines if the EU GDPR (General Data Protection Regulation)is not adhered to
Or not test?
Sometimes pentesting does not find vulnerabilities in the system and is beyond the skill of the testers employed. Carrying on can lead to escalating costs beyond the budget and timeline. In the hands of less skilled operators data loss and corruption can occur. Effective pentesting comes with a strong security protocol behind it, poor policies and methodology can be harmful.
Types of testing
This depends on whether the organization wants to simulate an external or internal attack. There are three types of pen test:
- Black box – in this case the tester has no knowledge about the systems being tested and must collect data about the system. This is considered a simulation of an external attack. It is also called zero-knowledge testing
- White box– the tester has complete knowledge of the system and network being tested and includes IP information and operating system details. This is considered a simulation of an internal attack. It is also called complete-knowledge testing
- Grey box – the tester has partial knowledge of the system. This is considered a simulation of an external attack. It is also called partial-knowledge testing
How to perform a pen test
1. Plan – strategy is determined and existing security is assessed and factored into the new scope.
2. Discover – information is collected from the system using ‘fingerprinting’ which collates usernames and passwords and other data. The ports are probed and scanned so system vulnerabilities can be checked. Other methods to gather information include one-to one/one-to-many model (here the tester performs techniques in a linear fashion against a single target host or a group of target hosts). Many-to-one/many-to-many model (here the tester uses multiples hosts to gather information in a random fashion).
3. Attack – the security of the system and network is tested using perimeter testing and web application testing. The system is intentionally damaged to try and access the data, but in a controlled manner.
4. Report – detailed findings are reported with a list of vulnerabilities found and recommendations on how to solve them.
Responsibilities and skills of a tester
- An ability to collect information
- Analytical enough to find the flaws a hacker would exploit and can get into the mind of a hacker
- Deliver reproducible routes that developers can follow to create fixes
- Deadline focused and can deliver to a start and end date
- Able to accept accountability for anything they lose or break during their testing protocol
- Good at keeping their findings and activities confidential
The pros and cons of manual and automated penetration testing
Manual Penetration Testing: Sample results vary from test to test/professionals are needed to run the tests/ Excel and other tools are required to track manual tests/with manual testing users have to carry out memory cleanup.
Automated Penetration Testing: Results do not vary from test to test/experts are not essential to carry out tests as reports are generated/automated testing uses centralized and standard tools/ comprehensive cleanups are a part of automated tests.