Penetration testing is a cybersecurity forensic technique used to assess an organization’s network perimeter and internal cybersecurity defenses. It involves penetration testers hacking into systems and determining where vulnerabilities and weaknesses exist.
The penetration testing process not only identifies cyber security issues, but also provides recommendations to remedy those issues and verifies that the fixes work. Penetration testing can save businesses thousands or even millions of dollars in lost revenue, ransomware payments, and reputational damage.
6 steps in a pen test
Penetration testing providers may have different approaches to their tests. In general, the following six activities are involved in conducting a penetration test:
- Prepare for the test. Use this phase to gather relevant information, get management approval, and outline the steps for testing.
- Build a plan. Determine the tools needed to examine the status of the test candidate. This includes evaluating how security is implemented and where vulnerabilities or alternative access methods may exist.
- Form a team. Gather the appropriate pen testers to perform the test. In-house and third-party experts may be required.
- Find the target. Decide which data and systems you are targeting.
- Make the penetration. Use a variety of techniques to bypass existing security measures on the target system, such as firewalls and intrusion detection systems. Establish a supporting position on designated systems and resources, all while trying to go unnoticed. Extract data and other evidence for reports.
- Carry out data analysis and reporting. Examine and analyze the data collected during the penetration test and identify remediation steps. Summarize test results, including vulnerabilities found and exploited and how to fix them, in a report to company management.
Types of pentests and methodologies
There are three general levels to perform a penetration test:
- black box testing simulates how an experienced threat actor would perform a hack. It starts with no knowledge or understanding of the technology infrastructure and security provisions of the target. The goal of this test is to quickly identify vulnerabilities that are easy to exploit.
- Gray box tests takes a black box test one step further. Penetration testers typically have some knowledge of the target’s systems and security measures. The goal of a gray box test is to learn details about vulnerabilities that can be exploited at a higher level than black box assessments.
- white box testing it is the most advanced. This penetration test assumes that the hacker has detailed knowledge of all aspects of an organization’s technology and security infrastructure. White box testers are usually the most experienced penetration testing experts. They are tasked with discovering the smallest flaws in the security infrastructure. When partnered with system developers and engineers, white box testers can jointly improve an organization’s security.
Penetration test results can vary depending on what is being tested, as well as whether or not the tester knows anything about the company and whether or not the company knows that the test is being performed. The different types of tests include the following:
- external test. Information assets visible to outsiders, such as websites, applications, email, and DNS, are attacked in an attempt to extract data, conduct transactions, and other activities. The goal is to identify vulnerabilities by external attack sources.
- Internal test. An insider attack aims to expose what damage could be done if an attacker is already inside the target system. This also covers malicious insiders. Careful screening can help identify employees who are likely to respond to social engineering or phishing attacks.
- Blind test. In this situation, the tester can obtain publicly available information about the target, but has no inside information about the company or its security resources. Rather, the target company knows the attack, including when and where it will occur, and can prepare accordingly. Testers must use all of their abilities to penetrate the target’s defenses.
- double blind test. In this test, neither the attacker nor the target knows about the penetration test in advance. Therefore, evaluators must rely on the skills and tools available to be successful. For the tester, success is penetrating the target’s defenses. For the target company, success is preventing the attacker from penetrating its perimeter and defending against it.
Penetration Testing Frameworks and Standards
Penetration testing frameworks and standards provide a blueprint for planning, executing, and reporting on cybersecurity vulnerability testing, in addition to activities that collectively provide methodologies to ensure maximum security. The following are some popular penetration testing frameworks and standards:
- Open Source Security Testing Methodology Manual (OSSTMM) provides a detailed approach to all aspects of vulnerability testing and assessment activities. OSSTMM does not advocate a specific approach; rather, it provides best practice guidance on how to achieve successful testing activities.
- NIST Cybersecurity Framework and other rules, such as Special Publication 800-53A Rev. 5offer guidance on penetration testing and other evaluation techniques.
- Penetration Testing Execution Standard (PTES) details all aspects of a penetration test. A separate PTES technical guidelines document provides procedures for organizing and running a penetration test.
- OWASP provides detailed guidance on application security and planning and execution of penetration tests.
Putting it all together in a penetration test report
One of the most important aspects of a penetration test is the report. It should be informative and actionable and include the following key points:
- the executive Summary explains the purpose and scope of the test, its anticipated benefits, and who requested the test.
- the mission statement describes the general objectives of the test, for example, to identify external threats and vulnerabilities and recommend mitigation actions.
- the methodology describes the general types of tests and testers, eg, external test, black box test, internal testers, to be used in the test.
- the tools The section describes the software tools and non-technological methods (eg, social engineering) required to achieve the test results.
- the technical approach The section describes the technical approach and structure of the test.
- the attack narrative describes the steps taken, from start to finish, of the test and includes the results of each step.
- the results The section summarizes the findings and recommended actions of the penetration test. Provides practical advice on how to achieve the desired results.
This was last posted on april 2022
Delve deeper into threat detection and response